mercurialgrabber | b80585a92881aeed921c96d6e8e16ce7eb6e195d1f9a0ddc1a5c6bb8e3585646

Analysis

max time kernel
18s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
12-02-2022 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mercurial.exe
Size

3.2MB
MD5

2168322c604dda24529ab10ffb63603c
SHA1

325b8e0a7a13a5b6b2d13cb4a796c05f97ee9d12
SHA256

b80585a92881aeed921c96d6e8e16ce7eb6e195d1f9a0ddc1a5c6bb8e3585646
SHA512

85b00c8a77048d5175ac99b2172c4a4c6b4348013ca419c723d20dfcedc6e2bafde1cad4ab41897ef7892112108888763881215650a6cb32fdb01a9cfde99564

Score

10^/10

mercurialgrabber evasion spyware stealer

Malware Config

Extracted

Family

mercurialgrabber

https://discord.com/api/webhooks/939772339271385098/pb40yymlaC36gJ9lrIZE64Tin0HhFVa5fet-muKugdctzZ9wq34Ecu9RIjcsTOKwswvD

Signatures

Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
stealer mercurialgrabber

Suspicious use of NtCreateProcessExOtherParentProcess 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeMERCURIAL.EXEWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4376 created 3572	4376	WerFault.exe	WerFault.exe
PID 3796 created 1380	3796	WerFault.exe	OK.EXE
PID 4092 created 3352	4092	WerFault.exe	OK.EXE
PID 4384 created 3636	4384	MERCURIAL.EXE	OK.EXE
PID 4240 created 1368	4240	WerFault.exe	OK.EXE
PID 4352 created 1412	4352	WerFault.exe	OK.EXE
PID 4512 created 2280	4512	WerFault.exe	OK.EXE
PID 5012 created 4176	5012	WerFault.exe	OK.EXE
PID 4376 created 4356	4376	WerFault.exe	OK.EXE
PID 4640 created 4724	4640	WerFault.exe	OK.EXE
PID 4404 created 4536	4404	WerFault.exe	MERCURIAL.EXE
PID 3476 created 4876	3476	WerFault.exe	OK.EXE

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 19 IoCs

Processes:

OK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEMERCURIAL.EXEOK.EXEOK.EXEConhost.exeMERCURIAL.EXEOK.EXEOK.EXEOK.EXEOK.EXE

pid	process
1380	OK.EXE
3572	OK.EXE
1368	OK.EXE
3352	OK.EXE
3636	OK.EXE
1412	OK.EXE
2280	OK.EXE
4176	OK.EXE
4356	OK.EXE
4536	MERCURIAL.EXE
4724	OK.EXE
4876	OK.EXE
5100	Conhost.exe
4780	MERCURIAL.EXE
4332	OK.EXE
4056	OK.EXE
2280	OK.EXE
3540	OK.EXE
4716	OK.EXE

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 17 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OK.EXEOK.EXEMERCURIAL.EXEOK.EXEWerFault.exeOK.EXEOK.EXEOK.EXEMERCURIAL.EXEOK.EXEOK.EXEConhost.exeOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OK.EXE

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMercurial.exeMERCURIAL.EXEOK.EXEMERCURIAL.EXEMERCURIAL.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Mercurial.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	OK.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	MERCURIAL.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 ip-api.com

flow	ioc
33	ip-api.com

Maps connected drives based on registry 3 TTPs 34 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MERCURIAL.EXEOK.EXEOK.EXEOK.EXEOK.EXEConhost.exeOK.EXEOK.EXEWerFault.exeOK.EXEMERCURIAL.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Conhost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	MERCURIAL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	OK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4720	3572	WerFault.exe	OK.EXE
4588	3636	WerFault.exe	OK.EXE
4920	3352	WerFault.exe	OK.EXE
5068	1380	WerFault.exe	OK.EXE
4828	4536	WerFault.exe	OK.EXE
4604	4724	WerFault.exe	OK.EXE
4992	4876	WerFault.exe	OK.EXE
3460	5100	WerFault.exe	OK.EXE
1936	4780	WerFault.exe	OK.EXE
4828	4332	WerFault.exe	OK.EXE
4932	4056	WerFault.exe	OK.EXE
464	2280	WerFault.exe	OK.EXE
4948	3540	WerFault.exe	OK.EXE
4372	4716	WerFault.exe	OK.EXE
1864	4040	WerFault.exe	OK.EXE
2040	1312	WerFault.exe	OK.EXE
4516	1492	WerFault.exe	OK.EXE
4160	4124	WerFault.exe	OK.EXE
1976	5092	WerFault.exe	OK.EXE
5060	3736	WerFault.exe	OK.EXE
2464	4712	WerFault.exe	OK.EXE
3028	3496	WerFault.exe	OK.EXE
4824	1512	WerFault.exe	OK.EXE
4128	5024	WerFault.exe	OK.EXE
1784	2972	WerFault.exe	OK.EXE
15736	6820	WerFault.exe	OK.EXE
15848	740	WerFault.exe	OK.EXE
16232	11932	WerFault.exe	OK.EXE
5536	6540	WerFault.exe	OK.EXE
8408	8264	WerFault.exe	OK.EXE
15880	7528	WerFault.exe	OK.EXE
9780	860	WerFault.exe	OK.EXE
4760	4280	WerFault.exe	OK.EXE
5920	8696	WerFault.exe	OK.EXE
5776	3776	WerFault.exe	OK.EXE
5676	8572	WerFault.exe	OK.EXE
6416	9556	WerFault.exe	OK.EXE
11444	9788	WerFault.exe	OK.EXE
5792	9336	WerFault.exe	OK.EXE
880	10808	WerFault.exe	OK.EXE
1572	10944	WerFault.exe	OK.EXE
7804	12184	WerFault.exe	OK.EXE
4984	11480	WerFault.exe	OK.EXE
4092	12616	WerFault.exe	OK.EXE
11848	12384	WerFault.exe	OK.EXE
10464	13492	WerFault.exe	OK.EXE
5360	13732	WerFault.exe	OK.EXE
6852	13952	WerFault.exe	OK.EXE
14448	14228	WerFault.exe	OK.EXE
5084	7132	WerFault.exe	OK.EXE
11816	13648	WerFault.exe	OK.EXE
8012	4328	WerFault.exe	OK.EXE
8456	1300	WerFault.exe	OK.EXE
8648	11308	WerFault.exe	OK.EXE
11820	14344	WerFault.exe	OK.EXE
10156	14600	WerFault.exe	OK.EXE
13360	8336	WerFault.exe	OK.EXE
14948	15772	WerFault.exe	OK.EXE
8216	15996	WerFault.exe	OK.EXE
14216	7568	WerFault.exe	OK.EXE
7884	11692	WerFault.exe	OK.EXE
2976	6072	WerFault.exe	OK.EXE
10772	10280	WerFault.exe	OK.EXE
2168	10208	WerFault.exe	OK.EXE

Checks SCSI registry key(s) 3 TTPs 17 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OK.EXEOK.EXEOK.EXEConhost.exeMERCURIAL.EXEOK.EXEWerFault.exeMERCURIAL.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	Conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	MERCURIAL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	MERCURIAL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	OK.EXE

Checks processor information in registry 2 TTPs 40 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OK.EXEWerFault.exeMERCURIAL.EXEWerFault.exeOK.EXEOK.EXEWerFault.exeOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEWerFault.exeOK.EXEMERCURIAL.EXEConhost.exeOK.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MERCURIAL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Conhost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	MERCURIAL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OK.EXE

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

OK.EXEWerFault.exeOK.EXEMERCURIAL.EXEOK.EXEWerFault.exeOK.EXEConhost.exeMERCURIAL.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	Conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	OK.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	MERCURIAL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	OK.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeMERCURIAL.EXE

pid	process
4588	WerFault.exe
4588	WerFault.exe
5068	WerFault.exe
5068	WerFault.exe
4920
4920
4720	WerFault.exe
4720	WerFault.exe
4604	WerFault.exe
4604	WerFault.exe
4828	MERCURIAL.EXE
4828	MERCURIAL.EXE

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

OK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEOK.EXEMERCURIAL.EXEOK.EXEOK.EXEConhost.exeMERCURIAL.EXEOK.EXEOK.EXEWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1380	OK.EXE
Token: SeDebugPrivilege	3572	OK.EXE
Token: SeDebugPrivilege	1368	OK.EXE
Token: SeDebugPrivilege	3352	OK.EXE
Token: SeDebugPrivilege	3636	OK.EXE
Token: SeDebugPrivilege	1412	OK.EXE
Token: SeDebugPrivilege	2280	OK.EXE
Token: SeDebugPrivilege	4176	OK.EXE
Token: SeDebugPrivilege	4356	OK.EXE
Token: SeDebugPrivilege	4536	MERCURIAL.EXE
Token: SeDebugPrivilege	4724	OK.EXE
Token: SeDebugPrivilege	4876	OK.EXE
Token: SeDebugPrivilege	5100	Conhost.exe
Token: SeDebugPrivilege	4780	MERCURIAL.EXE
Token: SeDebugPrivilege	4332	OK.EXE
Token: SeDebugPrivilege	4056	OK.EXE
Token: SeDebugPrivilege	2280	OK.EXE
Token: SeDebugPrivilege	3540	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Mercurial.exeMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEWaaSMedicAgent.exeMERCURIAL.EXEOK.EXEMERCURIAL.EXEMERCURIAL.EXEMERCURIAL.EXEWerFault.exeWerFault.exe

description	pid	process	target process
PID 3564 wrote to memory of 3020	3564	Mercurial.exe	MERCURIAL.EXE
PID 3564 wrote to memory of 3020	3564	Mercurial.exe	MERCURIAL.EXE
PID 3564 wrote to memory of 3020	3564	Mercurial.exe	MERCURIAL.EXE
PID 3564 wrote to memory of 1380	3564	Mercurial.exe	OK.EXE
PID 3564 wrote to memory of 1380	3564	Mercurial.exe	OK.EXE
PID 3020 wrote to memory of 1232	3020	MERCURIAL.EXE	MERCURIAL.EXE
PID 3020 wrote to memory of 1232	3020	MERCURIAL.EXE	MERCURIAL.EXE
PID 3020 wrote to memory of 1232	3020	MERCURIAL.EXE	MERCURIAL.EXE
PID 3020 wrote to memory of 3572	3020	MERCURIAL.EXE	OK.EXE
PID 3020 wrote to memory of 3572	3020	MERCURIAL.EXE	OK.EXE
PID 1232 wrote to memory of 3960	1232	MERCURIAL.EXE	MERCURIAL.EXE
PID 1232 wrote to memory of 3960	1232	MERCURIAL.EXE	MERCURIAL.EXE
PID 1232 wrote to memory of 3960	1232	MERCURIAL.EXE	MERCURIAL.EXE
PID 1232 wrote to memory of 1368	1232	MERCURIAL.EXE	OK.EXE
PID 1232 wrote to memory of 1368	1232	MERCURIAL.EXE	OK.EXE
PID 3960 wrote to memory of 2956	3960	MERCURIAL.EXE	MERCURIAL.EXE
PID 3960 wrote to memory of 2956	3960	MERCURIAL.EXE	MERCURIAL.EXE
PID 3960 wrote to memory of 2956	3960	MERCURIAL.EXE	MERCURIAL.EXE
PID 3960 wrote to memory of 3352	3960		OK.EXE
PID 3960 wrote to memory of 3352	3960		OK.EXE
PID 1340 wrote to memory of 2984	1340	MERCURIAL.EXE	MERCURIAL.EXE
PID 1340 wrote to memory of 2984	1340	MERCURIAL.EXE	MERCURIAL.EXE
PID 1340 wrote to memory of 2984	1340	MERCURIAL.EXE	MERCURIAL.EXE
PID 1340 wrote to memory of 1412	1340	MERCURIAL.EXE	OK.EXE
PID 1340 wrote to memory of 1412	1340	MERCURIAL.EXE	OK.EXE
PID 2984 wrote to memory of 3936	2984	MERCURIAL.EXE	WaaSMedicAgent.exe
PID 2984 wrote to memory of 3936	2984	MERCURIAL.EXE	WaaSMedicAgent.exe
PID 2984 wrote to memory of 3936	2984	MERCURIAL.EXE	WaaSMedicAgent.exe
PID 2984 wrote to memory of 2280	2984	MERCURIAL.EXE	OK.EXE
PID 2984 wrote to memory of 2280	2984	MERCURIAL.EXE	OK.EXE
PID 3936 wrote to memory of 4140	3936	WaaSMedicAgent.exe	MERCURIAL.EXE
PID 3936 wrote to memory of 4140	3936	WaaSMedicAgent.exe	MERCURIAL.EXE
PID 3936 wrote to memory of 4140	3936	WaaSMedicAgent.exe	MERCURIAL.EXE
PID 3936 wrote to memory of 4176	3936	WaaSMedicAgent.exe	OK.EXE
PID 3936 wrote to memory of 4176	3936	WaaSMedicAgent.exe	OK.EXE
PID 4140 wrote to memory of 4332	4140	MERCURIAL.EXE	OK.EXE
PID 4140 wrote to memory of 4332	4140	MERCURIAL.EXE	OK.EXE
PID 4140 wrote to memory of 4332	4140	MERCURIAL.EXE	OK.EXE
PID 4140 wrote to memory of 4356	4140	MERCURIAL.EXE	OK.EXE
PID 4140 wrote to memory of 4356	4140	MERCURIAL.EXE	OK.EXE
PID 4332 wrote to memory of 4528	4332	OK.EXE	MERCURIAL.EXE
PID 4332 wrote to memory of 4528	4332	OK.EXE	MERCURIAL.EXE
PID 4332 wrote to memory of 4528	4332	OK.EXE	MERCURIAL.EXE
PID 4332 wrote to memory of 4536	4332	OK.EXE	MERCURIAL.EXE
PID 4332 wrote to memory of 4536	4332	OK.EXE	MERCURIAL.EXE
PID 4528 wrote to memory of 4708	4528	MERCURIAL.EXE	MERCURIAL.EXE
PID 4528 wrote to memory of 4708	4528	MERCURIAL.EXE	MERCURIAL.EXE
PID 4528 wrote to memory of 4708	4528	MERCURIAL.EXE	MERCURIAL.EXE
PID 4528 wrote to memory of 4724	4528	MERCURIAL.EXE	OK.EXE
PID 4528 wrote to memory of 4724	4528	MERCURIAL.EXE	OK.EXE
PID 4708 wrote to memory of 4848	4708	MERCURIAL.EXE	MERCURIAL.EXE
PID 4708 wrote to memory of 4848	4708	MERCURIAL.EXE	MERCURIAL.EXE
PID 4708 wrote to memory of 4848	4708	MERCURIAL.EXE	MERCURIAL.EXE
PID 4708 wrote to memory of 4876	4708	MERCURIAL.EXE	OK.EXE
PID 4708 wrote to memory of 4876	4708	MERCURIAL.EXE	OK.EXE
PID 4848 wrote to memory of 5056	4848	MERCURIAL.EXE	MERCURIAL.EXE
PID 4848 wrote to memory of 5056	4848	MERCURIAL.EXE	MERCURIAL.EXE
PID 4848 wrote to memory of 5056	4848	MERCURIAL.EXE	MERCURIAL.EXE
PID 4848 wrote to memory of 5100	4848	MERCURIAL.EXE	Conhost.exe
PID 4848 wrote to memory of 5100	4848	MERCURIAL.EXE	Conhost.exe
PID 4376 wrote to memory of 3572	4376	WerFault.exe	WerFault.exe
PID 4376 wrote to memory of 3572	4376	WerFault.exe	WerFault.exe
PID 3796 wrote to memory of 1380	3796	WerFault.exe	OK.EXE
PID 3796 wrote to memory of 1380	3796	WerFault.exe	OK.EXE

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
    "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
      "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        5⤵
        
        PID:2956
      - C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        8⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        10⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        11⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        12⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        13⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4876 -s 2008
        14⤵
        Program crash
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        13⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        14⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        15⤵
        Checks computer location settings
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        16⤵
        Checks computer location settings
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        17⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4056 -s 2032
        18⤵
        Program crash
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        17⤵
        Checks computer location settings
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        18⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2280 -s 1992
        19⤵
        Program crash
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        18⤵
        Checks computer location settings
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        19⤵
        Checks computer location settings
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        20⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        21⤵
        
        PID:4040
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4040 -s 2020
        22⤵
        Program crash
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        21⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        22⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        23⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        24⤵
        
        PID:4124
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4124 -s 2032
        25⤵
        Program crash
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        24⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        25⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        26⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        27⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        28⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        29⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        30⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        31⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        32⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        33⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        34⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        35⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        36⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        37⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        38⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        39⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        40⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        40⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        41⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        42⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        43⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        43⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        44⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        45⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        46⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        47⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        48⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        49⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        50⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        51⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        52⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        53⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        54⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        55⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        56⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        57⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        58⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        59⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        60⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        61⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        62⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        63⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        64⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        65⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        66⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        67⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        68⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        69⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        70⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        71⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        72⤵
        
        PID:7812
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        73⤵
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        74⤵
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        75⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        76⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        77⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        78⤵
        
        PID:8248
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        79⤵
        
        PID:8400
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        80⤵
        
        PID:8548
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        81⤵
        
        PID:8656
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        82⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        83⤵
        
        PID:9084
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        84⤵
        
        PID:8212
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        85⤵
        
        PID:3776
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3776 -s 1956
        86⤵
        Program crash
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        85⤵
        
        PID:8548
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        86⤵
        
        PID:8720
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        87⤵
        
        PID:9264
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        88⤵
        
        PID:9420
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        89⤵
        
        PID:9524
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        90⤵
        
        PID:9732
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        91⤵
        
        PID:9932
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        92⤵
        
        PID:10088
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        93⤵
        
        PID:9004
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        94⤵
        
        PID:9760
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        95⤵
        
        PID:10028
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        96⤵
        
        PID:8808
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        96⤵
        
        PID:9488
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        97⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        98⤵
        
        PID:10304
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        99⤵
        
        PID:10456
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        100⤵
        
        PID:10620
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        101⤵
        
        PID:10760
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        102⤵
        
        PID:10924
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        103⤵
        
        PID:11092
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        104⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        105⤵
        
        PID:10708
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        106⤵
        
        PID:10960
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        107⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        108⤵
        
        PID:11276
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        109⤵
        
        PID:11416
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        110⤵
        
        PID:11512
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        111⤵
        
        PID:11904
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        112⤵
        
        PID:12144
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        113⤵
        
        PID:12272
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        114⤵
        
        PID:11476
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        115⤵
        
        PID:12220
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        116⤵
        
        PID:12604
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        117⤵
        
        PID:12500
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        118⤵
        
        PID:13476
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        119⤵
        
        PID:13720
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        120⤵
        
        PID:13920
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        121⤵
        
        PID:14164
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        122⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        123⤵
        
        PID:13728
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        124⤵
        
        PID:11344
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        125⤵
        
        PID:1300
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1300 -s 632
        126⤵
        Program crash
        
        PID:8456
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        125⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        126⤵
        
        PID:13556
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        127⤵
        
        PID:14344
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 14344 -s 1772
        128⤵
        Program crash
        
        PID:11820
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        127⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        128⤵
        
        PID:14564
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        129⤵
        
        PID:14740
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        130⤵
        
        PID:15060
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        131⤵
        
        PID:15232
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        132⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        133⤵
        
        PID:14644
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        134⤵
        
        PID:15112
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        135⤵
        
        PID:15472
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        136⤵
        
        PID:15624
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        137⤵
        
        PID:15968
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        138⤵
        
        PID:16124
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        139⤵
        
        PID:16284
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        140⤵
        
        PID:15572
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        141⤵
        
        PID:16172
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        142⤵
        
        PID:15352
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        143⤵
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        144⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        145⤵
        
        PID:9940
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        146⤵
        
        PID:10844
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        147⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        148⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        149⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        150⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        150⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        151⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        152⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        152⤵
        
        PID:9080
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        153⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        153⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        154⤵
        
        PID:10280
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10280 -s 1592
        155⤵
        Program crash
        
        PID:10772
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        154⤵
        
        PID:10248
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        155⤵
        
        PID:11348
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        156⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        157⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        157⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        158⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        158⤵
        
        PID:13316
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        159⤵
        
        PID:14844
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        160⤵
        
        PID:11552
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        161⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        162⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        163⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        164⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        165⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        166⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        167⤵
        
        PID:11660
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        168⤵
        
        PID:12020
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        169⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        170⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        170⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        171⤵
        
        PID:14288
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        172⤵
        
        PID:12780
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        173⤵
        
        PID:9620
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        174⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        175⤵
        
        PID:9368
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        176⤵
        
        PID:10108
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        177⤵
        
        PID:7024
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        177⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        178⤵
        
        PID:9552
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        178⤵
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        179⤵
        
        PID:9976
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        180⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        180⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        181⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        182⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        183⤵
        
        PID:9092
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        184⤵
        
        PID:11192
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        185⤵
        
        PID:15404
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        186⤵
        
        PID:11196
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        187⤵
        
        PID:10896
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        188⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        189⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        190⤵
        
        PID:13756
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        191⤵
        
        PID:13348
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        192⤵
        
        PID:10836
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        193⤵
        
        PID:13452
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        194⤵
        
        PID:11668
        
        C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\MERCURIAL.EXE"
        195⤵
        
        PID:13548
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        194⤵
        
        PID:10648
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        193⤵
        
        PID:13716
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        192⤵
        
        PID:10576
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        191⤵
        
        PID:16084
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        190⤵
        
        PID:11316
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        189⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        188⤵
        
        PID:12268
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        187⤵
        
        PID:10820
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        186⤵
        
        PID:10812
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        185⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        184⤵
        
        PID:9816
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        183⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        182⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        181⤵
        
        PID:12584
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        179⤵
        
        PID:9720
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        176⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        175⤵
        
        PID:14000
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        174⤵
        
        PID:8652
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        173⤵
        
        PID:9712
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        172⤵
        
        PID:9188
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        171⤵
        
        PID:13388
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        169⤵
        
        PID:13472
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        168⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        167⤵
        
        PID:11692
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11692 -s 2020
        168⤵
        Program crash
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        166⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        165⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        164⤵
        
        PID:16292
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        163⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        162⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        161⤵
        
        PID:8336
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8336 -s 2024
        162⤵
        Program crash
        
        PID:13360
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        160⤵
        
        PID:11492
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        159⤵
        
        PID:10344
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        156⤵
        
        PID:7568
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7568 -s 2008
        157⤵
        Program crash
        
        PID:14216
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        155⤵
        
        PID:11412
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        151⤵
        
        PID:10208
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10208 -s 1500
        152⤵
        Program crash
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        149⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        148⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        147⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        146⤵
        
        PID:7408
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        145⤵
        
        PID:6072
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6072 -s 1964
        146⤵
        Program crash
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        144⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        143⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        142⤵
        
        PID:15668
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        141⤵
        
        PID:16080
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        140⤵
        
        PID:15772
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 15772 -s 1940
        141⤵
        Program crash
        
        PID:14948
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        139⤵
        
        PID:16304
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        138⤵
        
        PID:16144
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        137⤵
        
        PID:15996
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 15996 -s 1976
        138⤵
        Program crash
        
        PID:8216
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        136⤵
        
        PID:15652
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        135⤵
        
        PID:15524
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        134⤵
        
        PID:15064
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        133⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        132⤵
        
        PID:14532
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        131⤵
        
        PID:15244
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        130⤵
        
        PID:15096
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        129⤵
        
        PID:14760
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        128⤵
        
        PID:14600
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 14600 -s 1980
        129⤵
        Program crash
        
        PID:10156
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        126⤵
        
        PID:11308
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11308 -s 2000
        127⤵
        Program crash
        
        PID:8648
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        124⤵
        
        PID:4328
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4328 -s 1488
        125⤵
        Program crash
        
        PID:8012
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        123⤵
        
        PID:13648
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 13648 -s 1996
        124⤵
        Program crash
        
        PID:11816
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        122⤵
        
        PID:7132
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7132 -s 1956
        123⤵
        Program crash
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        121⤵
        
        PID:14228
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 14228 -s 1996
        122⤵
        Program crash
        
        PID:14448
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        120⤵
        
        PID:13952
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 13952 -s 1996
        121⤵
        Program crash
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        119⤵
        
        PID:13732
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 13732 -s 1972
        120⤵
        Program crash
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        118⤵
        
        PID:13492
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 13492 -s 1980
        119⤵
        Program crash
        
        PID:10464
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        117⤵
        
        PID:12384
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12384 -s 1976
        118⤵
        Program crash
        
        PID:11848
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        116⤵
        
        PID:12616
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12616 -s 1996
        117⤵
        Program crash
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        115⤵
        
        PID:11868
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        114⤵
        
        PID:11480
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11480 -s 1996
        115⤵
        Program crash
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        113⤵
        
        PID:11032
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        112⤵
        
        PID:12184
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12184 -s 2004
        113⤵
        Program crash
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        111⤵
        
        PID:11932
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 11932 -s 1972
        112⤵
        Program crash
        
        PID:16232
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        110⤵
        
        PID:11536
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        109⤵
        
        PID:11448
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        108⤵
        
        PID:11292
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        107⤵
        
        PID:11208
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        106⤵
        
        PID:10924
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        105⤵
        
        PID:10620
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        104⤵
        
        PID:10504
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        103⤵
        
        PID:11140
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        102⤵
        
        PID:10944
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10944 -s 1976
        103⤵
        Program crash
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        101⤵
        
        PID:10808
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 10808 -s 1992
        102⤵
        Program crash
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        100⤵
        
        PID:10640
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        99⤵
        
        PID:10508
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        98⤵
        
        PID:10332
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        97⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        95⤵
        
        PID:8248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        94⤵
        
        PID:9616
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        93⤵
        
        PID:9336
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 9336 -s 1916
        94⤵
        Program crash
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        92⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        91⤵
        
        PID:9972
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        90⤵
        
        PID:9788
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 9788 -s 1908
        91⤵
        Program crash
        
        PID:11444
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        89⤵
        
        PID:9556
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 9556 -s 1444
        90⤵
        Program crash
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        88⤵
        
        PID:9436
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        87⤵
        
        PID:9292
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        86⤵
        
        PID:8260
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        84⤵
        
        PID:8376
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        83⤵
        
        PID:9144
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        82⤵
        
        PID:8952
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        81⤵
        
        PID:8696
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8696 -s 1404
        82⤵
        Program crash
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        80⤵
        
        PID:8572
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8572 -s 1896
        81⤵
        Program crash
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        79⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        78⤵
        
        PID:8264
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 8264 -s 1944
        79⤵
        Program crash
        
        PID:8408
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        77⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        76⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        75⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        74⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        73⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        72⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        71⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        70⤵
        
        PID:7528
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7528 -s 1920
        71⤵
        Program crash
        
        PID:15880
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        69⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        68⤵
        
        PID:7220
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        67⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        66⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        65⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        64⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        63⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        62⤵
        
        PID:6820
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6820 -s 1920
        63⤵
        Program crash
        
        PID:15736
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        61⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        60⤵
        
        PID:6540
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6540 -s 1564
        61⤵
        Program crash
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        59⤵
        
        PID:6352
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        58⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        57⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        56⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        55⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        54⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        53⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        52⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        51⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        50⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        49⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        48⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        47⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        46⤵
        
        PID:4280
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4280 -s 1900
        47⤵
        Program crash
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        45⤵
        
        PID:860
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 860 -s 1412
        46⤵
        Program crash
        
        PID:9780
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        44⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        42⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        41⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        39⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        38⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        37⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        36⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        35⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        34⤵
        
        PID:740
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 740 -s 1924
        35⤵
        Program crash
        
        PID:15848
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        33⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        32⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        31⤵
        
        PID:5024
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5024 -s 2032
        32⤵
        Program crash
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        30⤵
        
        PID:2972
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2972 -s 2004
        31⤵
        Program crash
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        29⤵
        
        PID:1512
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1512 -s 2020
        30⤵
        Program crash
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        28⤵
        
        PID:3496
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3496 -s 2012
        29⤵
        Program crash
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        27⤵
        
        PID:4712
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4712 -s 2016
        28⤵
        Program crash
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        26⤵
        
        PID:3736
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3736 -s 1996
        27⤵
        Program crash
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        25⤵
        
        PID:5092
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5092 -s 2012
        26⤵
        Program crash
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        23⤵
        
        PID:1492
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1492 -s 2000
        24⤵
        Program crash
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        22⤵
        
        PID:1312
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1312 -s 2036
        23⤵
        Program crash
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        20⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4716 -s 2016
        21⤵
        Program crash
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        19⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3540 -s 2020
        20⤵
        Program crash
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        16⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks computer location settings
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4332 -s 2024
        17⤵
        Program crash
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        15⤵
        
        PID:4780
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4780 -s 2004
        16⤵
        Program crash
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        14⤵
        
        PID:5100
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5100 -s 2020
        15⤵
        Program crash
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        12⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4724 -s 2008
        13⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        11⤵
        
        PID:4536
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4536 -s 2036
        12⤵
        Program crash
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        10⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        9⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        8⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
      - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3636 -s 2000
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Maps connected drives based on registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3352 -s 2008
        6⤵
        Program crash
        
        PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\OK.EXE
      "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\OK.EXE
    "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Maps connected drives based on registry
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3572 -s 2028
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4720
- C:\Users\Admin\AppData\Local\Temp\OK.EXE
  "C:\Users\Admin\AppData\Local\Temp\OK.EXE"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1380 -s 2008
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 1368 -ip 1368
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3636 -ip 3636
1⤵
PID:4384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 3572 -ip 3572
1⤵
PID:4376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 1380 -ip 1380
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3352 -ip 3352
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4092

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 1412 -ip 1412
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2280 -ip 2280
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4176 -ip 4176
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 4356 -ip 4356
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 668 -p 4724 -ip 4724
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 4536 -ip 4536
1⤵
PID:4404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 4876 -ip 4876
1⤵
PID:3476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 692 -p 5100 -ip 5100
1⤵
PID:996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 700 -p 4780 -ip 4780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 4332 -ip 4332
1⤵
PID:4728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 4056 -ip 4056
1⤵
PID:5032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 2280 -ip 2280
1⤵
PID:4616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 3540 -ip 3540
1⤵
PID:4468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4716 -ip 4716
1⤵
PID:5024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 680 -p 4040 -ip 4040
1⤵
PID:4972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 668 -p 1312 -ip 1312
1⤵
PID:4696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 1492 -ip 1492
1⤵
PID:1940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 4124 -ip 4124
1⤵
PID:4164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 636 -p 5092 -ip 5092
1⤵
- Checks processor information in registry
PID:3572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 720 -p 3736 -ip 3736
1⤵
PID:5084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 4712 -ip 4712
1⤵
PID:2660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 3496 -ip 3496
1⤵
PID:2320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 1512 -ip 1512
1⤵
PID:4740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 5024 -ip 5024
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 716 -p 2972 -ip 2972
1⤵
PID:4580

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
PID:4416

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 01aca943130750689301c4dd63608007 +1oo/F3ulUuQ5BPkiHWXTw.0.1.0.0.0
1⤵
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
PID:8724

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:6880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 6820 -ip 6820
1⤵
PID:14996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 720 -p 740 -ip 740
1⤵
PID:15584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 11932 -ip 11932
1⤵
PID:5068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 744 -p 4888 -ip 4888
1⤵
PID:15708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 692 -p 6540 -ip 6540
1⤵
PID:16020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 776 -p 7920 -ip 7920
1⤵
PID:16008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 764 -p 4260 -ip 4260
1⤵
PID:8984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 7692 -ip 7692
1⤵
PID:14628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 800 -p 10924 -ip 10924
1⤵
PID:15376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 364 -p 6676 -ip 6676
1⤵
PID:14996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 780 -p 5812 -ip 5812
1⤵
PID:15424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 5036 -ip 5036
1⤵
PID:15596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 744 -p 5500 -ip 5500
1⤵
PID:4932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 6684 -ip 6684
1⤵
PID:5128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 864 -p 7836 -ip 7836
1⤵
PID:15992

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 684 -p 496 -ip 496
1⤵
PID:4356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 696 -p 5808 -ip 5808
1⤵
PID:15572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 848 -p 6132 -ip 6132
1⤵
PID:4888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 752 -p 5724 -ip 5724
1⤵
PID:9780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 660 -p 6192 -ip 6192
1⤵
PID:11312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 7016 -ip 7016
1⤵
PID:8256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 692 -p 5312 -ip 5312
1⤵
PID:8168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 876 -p 7220 -ip 7220
1⤵
PID:13796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 780 -p 6000 -ip 6000
1⤵
PID:8060

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 736 -p 6352 -ip 6352
1⤵
PID:13248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 760 -p 10620 -ip 10620
1⤵
PID:12768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 908 -p 3360 -ip 3360
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 700 -p 5660 -ip 5660
1⤵
PID:2168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 680 -p 2144 -ip 2144
1⤵
PID:5408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 872 -p 7392 -ip 7392
1⤵
PID:5680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 884 -p 8808 -ip 8808
1⤵
PID:8036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 5876 -ip 5876
1⤵
PID:4932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 740 -p 11448 -ip 11448
1⤵
PID:5700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 10332 -ip 10332
1⤵
PID:6756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 4892 -ip 4892
1⤵
PID:6832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 804 -p 4548 -ip 4548
1⤵
PID:11096

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 828 -p 860 -ip 860
1⤵
PID:6056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 700 -p 7332 -ip 7332
1⤵
PID:5532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 800 -p 8264 -ip 8264
1⤵
PID:6228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 844 -p 11208 -ip 11208
1⤵
PID:5504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 732 -p 11536 -ip 11536
1⤵
PID:3636

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 728 -p 7888 -ip 7888
1⤵
PID:7860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 4836 -ip 4836
1⤵
PID:3524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 788 -p 5324 -ip 5324
1⤵
PID:9724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 4948 -ip 4948
1⤵
PID:6572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 716 -p 2044 -ip 2044
1⤵
PID:6516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 792 -p 4280 -ip 4280
1⤵
PID:7496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 7140 -ip 7140
1⤵
PID:11132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 892 -p 8180 -ip 8180
1⤵
PID:7432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 840 -p 4728 -ip 4728
1⤵
PID:5900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 844 -p 7032 -ip 7032
1⤵
PID:3336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 800 -p 5192 -ip 5192
1⤵
PID:3316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 700 -p 8000 -ip 8000
1⤵
PID:10840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 836 -p 7128 -ip 7128
1⤵
PID:8532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 888 -p 4736 -ip 4736
1⤵
PID:6008

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 836 -p 7528 -ip 7528
1⤵
PID:4712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 11292 -ip 11292
1⤵
PID:13136

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 708 -p 8696 -ip 8696
1⤵
PID:8044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 816 -p 3776 -ip 3776
1⤵
PID:12156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 8952 -ip 8952
1⤵
PID:5972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 500 -p 8572 -ip 8572
1⤵
PID:8516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 9556 -ip 9556
1⤵
PID:7124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 724 -p 9436 -ip 9436
1⤵
PID:5872

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 8376 -ip 8376
1⤵
PID:10364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 840 -p 8424 -ip 8424
1⤵
PID:5132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 608 -p 9144 -ip 9144
1⤵
PID:3484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 396 -p 8260 -ip 8260
1⤵
PID:5316

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 904 -p 9292 -ip 9292
1⤵
PID:6804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 10104 -ip 10104
1⤵
PID:7000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 9788 -ip 9788
1⤵
PID:7492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 736 -p 9616 -ip 9616
1⤵
PID:6732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 8248 -ip 8248
1⤵
PID:7796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 592 -p 9972 -ip 9972
1⤵
PID:5680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 836 -p 9336 -ip 9336
1⤵
PID:7916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 844 -p 10504 -ip 10504
1⤵
PID:7852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 620 -p 10508 -ip 10508
1⤵
PID:15428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 11140 -ip 11140
1⤵
PID:7340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 868 -p 10808 -ip 10808
1⤵
PID:5956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 10640 -ip 10640
1⤵
PID:5140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 10944 -ip 10944
1⤵
PID:5768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 12184 -ip 12184
1⤵
PID:8476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 11032 -ip 11032
1⤵
PID:3140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 596 -p 11480 -ip 11480
1⤵
PID:14996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 900 -p 11868 -ip 11868
1⤵
PID:5408

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 12616 -ip 12616
1⤵
PID:9424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 12384 -ip 12384
1⤵
PID:10540

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 13492 -ip 13492
1⤵
PID:11320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 704 -p 13732 -ip 13732
1⤵
PID:11664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 13952 -ip 13952
1⤵
PID:12248

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 360 -p 14228 -ip 14228
1⤵
PID:4508

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 740 -p 7132 -ip 7132
1⤵
PID:12176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 740 -p 13648 -ip 13648
1⤵
PID:8024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4328 -ip 4328
1⤵
PID:11616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 736 -p 1300 -ip 1300
1⤵
PID:13084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 740 -p 11308 -ip 11308
1⤵
PID:6924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 828 -p 14344 -ip 14344
1⤵
PID:11828

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 14600 -ip 14600
1⤵
PID:9676

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 756 -p 8336 -ip 8336
1⤵
PID:6132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 768 -p 15996 -ip 15996
1⤵
PID:12912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 736 -p 6056 -ip 6056
1⤵
PID:3180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 4664 -ip 4664
1⤵
PID:4620

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 15772 -ip 15772
1⤵
PID:7776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 908 -p 16080 -ip 16080
1⤵
PID:8948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 756 -p 11492 -ip 11492
1⤵
PID:7412

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 884 -p 16144 -ip 16144
1⤵
PID:9920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 11412 -ip 11412
1⤵
PID:9460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 644 -p 15668 -ip 15668
1⤵
PID:6256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 720 -p 10344 -ip 10344
1⤵
PID:9132

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 912 -p 14760 -ip 14760
1⤵
PID:6576

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 804 -p 5748 -ip 5748
1⤵
PID:5232

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 4572 -ip 4572
1⤵
PID:10044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 784 -p 15524 -ip 15524
1⤵
PID:8876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 872 -p 7568 -ip 7568
1⤵
PID:8236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4516 -ip 4516
1⤵
PID:15228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 712 -p 10280 -ip 10280
1⤵
PID:10972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 768 -p 11692 -ip 11692
1⤵
PID:16168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 880 -p 5440 -ip 5440
1⤵
PID:10056

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 756 -p 16304 -ip 16304
1⤵
PID:6140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 812 -p 4740 -ip 4740
1⤵
PID:11244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 908 -p 6212 -ip 6212
1⤵
PID:11180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 632 -p 6072 -ip 6072
1⤵
PID:10980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 736 -p 16292 -ip 16292
1⤵
PID:8708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 788 -p 5272 -ip 5272
1⤵
PID:5896

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 748 -p 5852 -ip 5852
1⤵
PID:9852

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 820 -p 15244 -ip 15244
1⤵
PID:9488

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 896 -p 3488 -ip 3488
1⤵
PID:6532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 772 -p 3556 -ip 3556
1⤵
PID:12640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 812 -p 15652 -ip 15652
1⤵
PID:9884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 852 -p 7724 -ip 7724
1⤵
PID:12708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 744 -p 10208 -ip 10208
1⤵
PID:11172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 776 -p 13472 -ip 13472
1⤵
PID:8760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 6168 -ip 6168
1⤵
PID:12068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 848 -p 15064 -ip 15064
1⤵
PID:10568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 14532 -ip 14532
1⤵
PID:10672

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 880 -p 15096 -ip 15096
1⤵
PID:10556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4512.tmp.xml

MD5
b845ce823da0581ec4389661c3ec507d

SHA1
3f209d89daa97e6f3d96f4ee9e898fd6f1d4651e

SHA256
36c82874391df688d88b132aa80f46b06378e39927d28e7ea5cb06ffa2386311

SHA512
dc12889f3177243a9af2ebbdd96d096e1d75082c1cdfff03f824c3117c5068d3fb68c6c35d03d287110b59310a6ae6e071113f7c457660c9212b9e2d00b9a329

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OK.EXE

MD5
7472d8466f9cf4de765918e3536454b4

SHA1
d8fdbf2838e4721d77addaaef022df1560590eb0

SHA256
f4d5b4f22b8596a988133ff415776ddacaf69e590f7072ddfbddff7f158d299d

SHA512
a96902ce64006fffdfbfd46e198fc293198d378ab923bfc41f1a047efee1eb69961f123cd0c50697ed2302484098041099647441b77d3000c0f65ae95d0fa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.db

MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.db

MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

MD5
e9c0017d6df903586aeb449cd6422fd7

SHA1
e62638187ee9285e945bbb0971a1a89361bf2a4c

SHA256
9386c1cf90804cc04e7cf0ea90c4ced48c796ee2652756cddaa885e004cc9494

SHA512
a4cbd71c658283fec23f89f3bede3fae9cc3fceaf230d9dd16593ea64212a538edc969daea51a70dcf4b1fd3a759dfc3e27cd682efd7d867044aa2fd1e7ac43c

Download Submit
memory/1312-209-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/1312-210-0x0000000002960000-0x0000000002962000-memory.dmp

Filesize
8KB

Download
memory/1368-142-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/1368-143-0x000000001C580000-0x000000001C582000-memory.dmp

Filesize
8KB

Download
memory/1380-137-0x000000001CA60000-0x000000001CA62000-memory.dmp

Filesize
8KB

Download
memory/1380-134-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/1380-133-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/1412-150-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/1412-152-0x000000001CA70000-0x000000001CA72000-memory.dmp

Filesize
8KB

Download
memory/1492-215-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/1492-216-0x000000001CF40000-0x000000001CF42000-memory.dmp

Filesize
8KB

Download
memory/1512-237-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/1512-238-0x000000001C6A0000-0x000000001C6A2000-memory.dmp

Filesize
8KB

Download
memory/2280-194-0x0000000000B10000-0x0000000000B12000-memory.dmp

Filesize
8KB

Download
memory/2280-193-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/2280-151-0x000000001D070000-0x000000001D072000-memory.dmp

Filesize
8KB

Download
memory/2280-148-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/2972-242-0x000000001C300000-0x000000001C302000-memory.dmp

Filesize
8KB

Download
memory/2972-241-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/3352-144-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/3352-139-0x000000001D090000-0x000000001D092000-memory.dmp

Filesize
8KB

Download
memory/3496-233-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/3496-231-0x000000001C370000-0x000000001C372000-memory.dmp

Filesize
8KB

Download
memory/3540-195-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/3540-197-0x000000001CEF0000-0x000000001CEF2000-memory.dmp

Filesize
8KB

Download
memory/3572-140-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

Filesize
8KB

Download
memory/3572-138-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/3636-149-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

Filesize
8KB

Download
memory/3636-147-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/3736-226-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

Filesize
8KB

Download
memory/3736-225-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4040-206-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4040-208-0x000000001C3B0000-0x000000001C3B2000-memory.dmp

Filesize
8KB

Download
memory/4056-190-0x000000001CE00000-0x000000001CE02000-memory.dmp

Filesize
8KB

Download
memory/4056-189-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4124-218-0x0000000002C00000-0x0000000002C02000-memory.dmp

Filesize
8KB

Download
memory/4124-217-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4176-155-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4176-156-0x000000001CB40000-0x000000001CB42000-memory.dmp

Filesize
8KB

Download
memory/4332-182-0x000000001CD60000-0x000000001CD62000-memory.dmp

Filesize
8KB

Download
memory/4332-184-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4356-158-0x000000001CE50000-0x000000001CE52000-memory.dmp

Filesize
8KB

Download
memory/4356-157-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4536-167-0x0000000002760000-0x0000000002762000-memory.dmp

Filesize
8KB

Download
memory/4536-166-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4548-252-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4712-230-0x000000001CBF0000-0x000000001CBF2000-memory.dmp

Filesize
8KB

Download
memory/4712-229-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4716-202-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4716-203-0x000000001C890000-0x000000001C892000-memory.dmp

Filesize
8KB

Download
memory/4724-168-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4724-170-0x0000000000AB0000-0x0000000000AB2000-memory.dmp

Filesize
8KB

Download
memory/4780-183-0x000000001C600000-0x000000001C602000-memory.dmp

Filesize
8KB

Download
memory/4780-181-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4876-175-0x000000001D000000-0x000000001D002000-memory.dmp

Filesize
8KB

Download
memory/4876-174-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/4948-251-0x000000001C870000-0x000000001C872000-memory.dmp

Filesize
8KB

Download
memory/4948-249-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/5024-244-0x000000001CA60000-0x000000001CA62000-memory.dmp

Filesize
8KB

Download
memory/5024-243-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/5092-223-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download
memory/5092-224-0x0000000001380000-0x0000000001382000-memory.dmp

Filesize
8KB

Download
memory/5100-177-0x000000001CD80000-0x000000001CD82000-memory.dmp

Filesize
8KB

Download
memory/5100-176-0x00007FF9DBDA3000-0x00007FF9DBDA5000-memory.dmp

Filesize
8KB

Download