orcus | 1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca

Analysis

max time kernel
36s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-01-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
Size

918KB
MD5

beff93c13a3839484a3248f3a1702516
SHA1

77d2620d977c1b7730a599da82efd7360898f309
SHA256

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca
SHA512

fdf7ad1b65283101b1852badc92d09507a82eb13771d0676452f712fa26b649f20b18d970cf7c5f9bd43bf87b9252bd2ae76d9e11ef1addc0778565342a19a28
SSDEEP

24576:k1I4MROxnFi3ArIrZlI0AilFEvxHi18D:k1rMioAMrZlI0AilFEvxHi

Score

10^/10

orcus hack rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Hack

127.0.0.1:10134

Mutex

d7904e4fe3184c208642abe8f5cf9293

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
C:\Windows\System32\tаskmgr.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
GoogleUpdateTaskMachine
watchdog_path
AppData\smss.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\tаskmgr.exe	family_orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\tаskmgr.exe	orcus
behavioral1/memory/2704-34-0x00000000009F0000-0x0000000000ADC000-memory.dmp	orcus
behavioral1/memory/2652-104-0x000000001AF60000-0x000000001AFE0000-memory.dmp	orcus

Executes dropped EXE 64 IoCs

Processes:

tаskmgr.exesmss.exetаskmgr.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exeWerFault.exesmss.exeWerFault.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
2704	tаskmgr.exe
2248	smss.exe
2652	tаskmgr.exe
2688	smss.exe
1248	smss.exe
1612	smss.exe
1728	smss.exe
1832	smss.exe
2796	smss.exe
2052	smss.exe
2140	WerFault.exe
1760	smss.exe
2348	smss.exe
1336	smss.exe
1712	WerFault.exe
2128	smss.exe
1160	WerFault.exe
1808	smss.exe
2992	smss.exe
2428	smss.exe
2748	WerFault.exe
2728	smss.exe
2400	smss.exe
2916	smss.exe
1264	smss.exe
764	smss.exe
2984	smss.exe
856	smss.exe
336	smss.exe
1728	smss.exe
1720	smss.exe
2988	smss.exe
1748	smss.exe
448	smss.exe
1916	WerFault.exe
2492	smss.exe
1800	smss.exe
2364	smss.exe
2852	smss.exe
2180	smss.exe
1352	smss.exe
1980	smss.exe
2308	WerFault.exe
2440	smss.exe
1548	smss.exe
712	smss.exe
604	smss.exe
960	smss.exe
296	smss.exe
1580	smss.exe
2352	smss.exe
1296	smss.exe
2212	smss.exe
1232	smss.exe
2708	WerFault.exe
2156	smss.exe
2476	smss.exe
988	smss.exe
3036	smss.exe
1800	smss.exe
920	smss.exe
1768	smss.exe
1384	smss.exe
1528	smss.exe

Loads dropped DLL 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
2572	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
452	WerFault.exe
452	WerFault.exe
452	WerFault.exe
452	WerFault.exe
452	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
840	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
1048	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
1812	WerFault.exe
1812	WerFault.exe
1812	WerFault.exe
1812	WerFault.exe
1812	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
864	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe
1392	WerFault.exe

Drops file in System32 directory 3 IoCs

Processes:

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe

description	ioc	process
File created	C:\Windows\System32\tаskmgr.exe	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
File opened for modification	C:\Windows\System32\tаskmgr.exe	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
File created	C:\Windows\System32\tаskmgr.exe.config	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1976	2688	WerFault.exe	smss.exe
2572	1612	WerFault.exe
1692	1832	WerFault.exe
452	2052	WerFault.exe
840	1760	WerFault.exe
2344	2128	WerFault.exe	smss.exe
1048	1336	WerFault.exe
1812	1808	WerFault.exe
2676	2428	WerFault.exe	smss.exe
2588	2728	WerFault.exe	smss.exe
2908	2916	WerFault.exe	smss.exe
1392	856	WerFault.exe
864	764	WerFault.exe
1512	1728	WerFault.exe	smss.exe
2412	2988	WerFault.exe
2292	448	WerFault.exe
1940	2492	WerFault.exe	smss.exe
1796	2364	WerFault.exe
1984	2180	WerFault.exe	smss.exe
1204	1980	WerFault.exe	smss.exe
2456	2440	WerFault.exe	smss.exe
1712	712	WerFault.exe
1744	1580	WerFault.exe	smss.exe
2692	1296	WerFault.exe	smss.exe
1564	960	WerFault.exe	smss.exe
1972	1232	WerFault.exe	smss.exe
860	2156	WerFault.exe	smss.exe
2436	988	WerFault.exe
948	1768	WerFault.exe	smss.exe
2808	1528	WerFault.exe
1160	3064	WerFault.exe
320	1652	WerFault.exe	smss.exe
2140	1800	WerFault.exe	smss.exe
1960	916	WerFault.exe	smss.exe
1996	564	WerFault.exe	smss.exe
1604	2056	WerFault.exe
2708	2472	WerFault.exe
816	2272	WerFault.exe	smss.exe
2880	2124	WerFault.exe	smss.exe
2888	1244	WerFault.exe
2308	2992	WerFault.exe	smss.exe
1844	1384	WerFault.exe	smss.exe
1316	984	WerFault.exe	smss.exe
2568	1500	WerFault.exe	smss.exe
1916	1928	WerFault.exe
3296	3248	WerFault.exe	smss.exe
3176	3132	WerFault.exe	smss.exe
300	1284	WerFault.exe	smss.exe
1756	2112	WerFault.exe	smss.exe
3396	3352	WerFault.exe	smss.exe
3848	3812	WerFault.exe
3948	3908	WerFault.exe	smss.exe
3724	3688	WerFault.exe	smss.exe
3604	3560	WerFault.exe	smss.exe
3500	3464	WerFault.exe	smss.exe
2216	3284	WerFault.exe
3144	1948	WerFault.exe	smss.exe
4052	4020	WerFault.exe	smss.exe
876	3392	WerFault.exe	smss.exe
3528	3444	WerFault.exe
3732	3584	WerFault.exe
3964	3864	WerFault.exe	smss.exe
4012	2860	WerFault.exe	smss.exe
1484	3108	WerFault.exe	smss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tаskmgr.exe

pid	process
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe
2704	tаskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tаskmgr.exe

pid process

2704 tаskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tаskmgr.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exeWerFault.exeWerFault.exesmss.exeWerFault.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exeWerFault.exeWerFault.exesmss.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exesmss.exeWerFault.exesmss.exesmss.exesmss.exe

description	pid	process
Token: SeDebugPrivilege	2704	tаskmgr.exe
Token: SeDebugPrivilege	2248	smss.exe
Token: SeDebugPrivilege	1248	smss.exe
Token: SeDebugPrivilege	1728	smss.exe
Token: SeDebugPrivilege	2796	smss.exe
Token: SeDebugPrivilege	2140	WerFault.exe
Token: SeDebugPrivilege	2348	smss.exe
Token: SeDebugPrivilege	1712	WerFault.exe
Token: SeDebugPrivilege	1160	WerFault.exe
Token: SeDebugPrivilege	2992	smss.exe
Token: SeDebugPrivilege	2748	WerFault.exe
Token: SeDebugPrivilege	2400	smss.exe
Token: SeDebugPrivilege	1264	smss.exe
Token: SeDebugPrivilege	2984	smss.exe
Token: SeDebugPrivilege	336	smss.exe
Token: SeDebugPrivilege	1720	smss.exe
Token: SeDebugPrivilege	1748	smss.exe
Token: SeDebugPrivilege	1916	WerFault.exe
Token: SeDebugPrivilege	1800	smss.exe
Token: SeDebugPrivilege	2852	smss.exe
Token: SeDebugPrivilege	1352	smss.exe
Token: SeDebugPrivilege	2308	WerFault.exe
Token: SeDebugPrivilege	1548	smss.exe
Token: SeDebugPrivilege	604	smss.exe
Token: SeDebugPrivilege	296	smss.exe
Token: SeDebugPrivilege	2352	smss.exe
Token: SeDebugPrivilege	2212	smss.exe
Token: SeDebugPrivilege	2708	WerFault.exe
Token: SeDebugPrivilege	2476	smss.exe
Token: SeDebugPrivilege	3036	smss.exe
Token: SeDebugPrivilege	920	smss.exe
Token: SeDebugPrivilege	1384	smss.exe
Token: SeDebugPrivilege	1944	smss.exe
Token: SeDebugPrivilege	2800	smss.exe
Token: SeDebugPrivilege	2308	WerFault.exe
Token: SeDebugPrivilege	984	smss.exe
Token: SeDebugPrivilege	1784	smss.exe
Token: SeDebugPrivilege	2680	smss.exe
Token: SeDebugPrivilege	2852	smss.exe
Token: SeDebugPrivilege	1600	smss.exe
Token: SeDebugPrivilege	684	smss.exe
Token: SeDebugPrivilege	1720	smss.exe
Token: SeDebugPrivilege	1932	smss.exe
Token: SeDebugPrivilege	1352	smss.exe
Token: SeDebugPrivilege	1700	WerFault.exe
Token: SeDebugPrivilege	1304	smss.exe
Token: SeDebugPrivilege	684	smss.exe
Token: SeDebugPrivilege	2720	WerFault.exe
Token: SeDebugPrivilege	3100	WerFault.exe
Token: SeDebugPrivilege	3224	smss.exe
Token: SeDebugPrivilege	3328	smss.exe
Token: SeDebugPrivilege	3436	smss.exe
Token: SeDebugPrivilege	3532	smss.exe
Token: SeDebugPrivilege	3660	smss.exe
Token: SeDebugPrivilege	3764	WerFault.exe
Token: SeDebugPrivilege	3876	smss.exe
Token: SeDebugPrivilege	3996	smss.exe
Token: SeDebugPrivilege	4092	smss.exe
Token: SeDebugPrivilege	3212	smss.exe
Token: SeDebugPrivilege	3340	WerFault.exe
Token: SeDebugPrivilege	2720	WerFault.exe
Token: SeDebugPrivilege	3644	smss.exe
Token: SeDebugPrivilege	1968	smss.exe
Token: SeDebugPrivilege	3892	smss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tаskmgr.exe

pid process

2704 tаskmgr.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

tаskmgr.exe

pid process

2704 tаskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.execsc.exetаskmgr.exetaskeng.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	pid	process	target process
PID 2064 wrote to memory of 1780	2064	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	csc.exe
PID 2064 wrote to memory of 1780	2064	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	csc.exe
PID 2064 wrote to memory of 1780	2064	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	csc.exe
PID 1780 wrote to memory of 1540	1780	csc.exe	cvtres.exe
PID 1780 wrote to memory of 1540	1780	csc.exe	cvtres.exe
PID 1780 wrote to memory of 1540	1780	csc.exe	cvtres.exe
PID 2064 wrote to memory of 2704	2064	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	tаskmgr.exe
PID 2064 wrote to memory of 2704	2064	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	tаskmgr.exe
PID 2064 wrote to memory of 2704	2064	1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe	tаskmgr.exe
PID 2704 wrote to memory of 2248	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 2248	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 2248	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 2248	2704	tаskmgr.exe	smss.exe
PID 2616 wrote to memory of 2652	2616	taskeng.exe	tаskmgr.exe
PID 2616 wrote to memory of 2652	2616	taskeng.exe	tаskmgr.exe
PID 2616 wrote to memory of 2652	2616	taskeng.exe	tаskmgr.exe
PID 2248 wrote to memory of 2688	2248	smss.exe	smss.exe
PID 2248 wrote to memory of 2688	2248	smss.exe	smss.exe
PID 2248 wrote to memory of 2688	2248	smss.exe	smss.exe
PID 2248 wrote to memory of 2688	2248	smss.exe	smss.exe
PID 2688 wrote to memory of 1976	2688	smss.exe	WerFault.exe
PID 2688 wrote to memory of 1976	2688	smss.exe	WerFault.exe
PID 2688 wrote to memory of 1976	2688	smss.exe	WerFault.exe
PID 2688 wrote to memory of 1976	2688	smss.exe	WerFault.exe
PID 2704 wrote to memory of 1248	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 1248	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 1248	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 1248	2704	tаskmgr.exe	smss.exe
PID 1248 wrote to memory of 1612	1248	smss.exe	smss.exe
PID 1248 wrote to memory of 1612	1248	smss.exe	smss.exe
PID 1248 wrote to memory of 1612	1248	smss.exe	smss.exe
PID 1248 wrote to memory of 1612	1248	smss.exe	smss.exe
PID 1612 wrote to memory of 2572	1612	smss.exe	WerFault.exe
PID 1612 wrote to memory of 2572	1612	smss.exe	WerFault.exe
PID 1612 wrote to memory of 2572	1612	smss.exe	WerFault.exe
PID 1612 wrote to memory of 2572	1612	smss.exe	WerFault.exe
PID 2704 wrote to memory of 1728	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 1728	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 1728	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 1728	2704	tаskmgr.exe	smss.exe
PID 1728 wrote to memory of 1832	1728	smss.exe	smss.exe
PID 1728 wrote to memory of 1832	1728	smss.exe	smss.exe
PID 1728 wrote to memory of 1832	1728	smss.exe	smss.exe
PID 1728 wrote to memory of 1832	1728	smss.exe	smss.exe
PID 1832 wrote to memory of 1692	1832	smss.exe	WerFault.exe
PID 1832 wrote to memory of 1692	1832	smss.exe	WerFault.exe
PID 1832 wrote to memory of 1692	1832	smss.exe	WerFault.exe
PID 1832 wrote to memory of 1692	1832	smss.exe	WerFault.exe
PID 2704 wrote to memory of 2796	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 2796	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 2796	2704	tаskmgr.exe	smss.exe
PID 2704 wrote to memory of 2796	2704	tаskmgr.exe	smss.exe
PID 2796 wrote to memory of 2052	2796	smss.exe	smss.exe
PID 2796 wrote to memory of 2052	2796	smss.exe	smss.exe
PID 2796 wrote to memory of 2052	2796	smss.exe	smss.exe
PID 2796 wrote to memory of 2052	2796	smss.exe	smss.exe
PID 2052 wrote to memory of 452	2052	smss.exe	WerFault.exe
PID 2052 wrote to memory of 452	2052	smss.exe	WerFault.exe
PID 2052 wrote to memory of 452	2052	smss.exe	WerFault.exe
PID 2052 wrote to memory of 452	2052	smss.exe	WerFault.exe
PID 2704 wrote to memory of 2140	2704	tаskmgr.exe	WerFault.exe
PID 2704 wrote to memory of 2140	2704	tаskmgr.exe	WerFault.exe
PID 2704 wrote to memory of 2140	2704	tаskmgr.exe	WerFault.exe
PID 2704 wrote to memory of 2140	2704	tаskmgr.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe
"C:\Users\Admin\AppData\Local\Temp\1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3yscipsr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES147B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC147A.tmp"
3⤵
PID:1540

C:\Windows\System32\tаskmgr.exe
"C:\Windows\System32\tаskmgr.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 560
5⤵
- Loads dropped DLL
- Program crash
PID:1976

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1728

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 556
4⤵
- Program crash
PID:1512

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2140

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:1760

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:1336

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1712

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 556
5⤵
- Loads dropped DLL
- Program crash
PID:2344

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1160

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2992

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 552
5⤵
- Loads dropped DLL
- Program crash
PID:2676

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2748

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 556
5⤵
- Loads dropped DLL
- Program crash
PID:2908

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:856

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:448

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1916

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 556
5⤵
- Program crash
PID:1940

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1800

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2852

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 560
5⤵
- Program crash
PID:1984

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1352

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 556
5⤵
- Program crash
PID:1204

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2308

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 556
5⤵
- Program crash
PID:1960

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:712

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 556
5⤵
- Program crash
PID:2692

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 556
5⤵
- Program crash
PID:1972

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2708

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:988

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 556
5⤵
- Program crash
PID:948

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1384

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 556
4⤵
- Program crash
PID:1844

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 560
5⤵
- Program crash
PID:320

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3064

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2308

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:984

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 556
5⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 556
4⤵
- Program crash
PID:1316

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:2056

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:2472

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 560
5⤵
- Program crash
PID:2880

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:684

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:1244

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 556
5⤵
- Program crash
PID:2568

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1700

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 556
5⤵
- Program crash
PID:1756

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 556
5⤵
- Program crash
PID:300

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:1928

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3100

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 560
5⤵
PID:3440

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3660

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3764

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3812

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3876

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4092

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3284

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3340

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3444

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3644

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3584

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 556
5⤵
- Program crash
PID:4012

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3276

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3104

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4072

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3208

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 556
5⤵
PID:3344

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3460

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 560
5⤵
PID:3516

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3804

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 556
5⤵
PID:2896

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 556
4⤵
PID:3920

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3272

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 560
5⤵
PID:3264

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3348

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 556
5⤵
PID:3496

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3844

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 556
5⤵
PID:3796

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4000

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3680

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 556
5⤵
PID:3240

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3876

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 556
5⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 556
4⤵
PID:4140

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1464

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3880

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4060

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 556
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3524

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2748

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 556
5⤵
PID:3768

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3220

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 560
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3236

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 556
5⤵
PID:3612

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3076

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3428

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3696

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4172

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 560
5⤵
PID:4252

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4284

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4372

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 564
5⤵
PID:4440

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4480

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 556
5⤵
PID:4556

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4588

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4684

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4804

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5008

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5044

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2160

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4208

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4292

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4360

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4452

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 564
4⤵
PID:4828

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:3640

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4900

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4788

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 556
5⤵
PID:4820

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4848

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 560
5⤵
PID:4976

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5096

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 560
5⤵
PID:3364

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4384

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 560
5⤵
PID:4476

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4080

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4516

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 556
5⤵
PID:4884

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4728

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4696

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4924

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5024

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5060

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4356

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 560
5⤵
PID:4624

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4592

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4168

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4516

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4996

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 560
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4164

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4888

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 560
5⤵
PID:5016

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4192

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4584

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4956

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4708

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 556
5⤵
PID:4728

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5152

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5184 -s 556
5⤵
PID:5240

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5260

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 560
5⤵
PID:5340

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5596

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5824

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 556
5⤵
PID:5900

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5716

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5504

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5396

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5956

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 556
5⤵
PID:6016

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5128

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 556
5⤵
PID:4516

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1464

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 560
5⤵
PID:5160

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5196

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5296

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5400

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6052

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5588

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5732

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 556
5⤵
PID:5860

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5876

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6000

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6056 -s 560
5⤵
PID:4696

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5124

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5224

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5300

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 556
5⤵
PID:5508

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5616

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5756

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5992

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6048

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5796

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5192

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5932

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5300

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5680 -s 556
5⤵
PID:6008

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5256

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 556
5⤵
PID:4544

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:4748

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 560
5⤵
PID:4356

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5320

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5960

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5884

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 556
5⤵
PID:5108

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5820

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5888

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5712

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 560
5⤵
PID:5756

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 560
5⤵
PID:6472

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5872

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6132

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6180

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 560
5⤵
PID:6248

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6404

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6296

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6512

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6620

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6720

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6824

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 560
5⤵
PID:6908

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6948

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7076

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 560
5⤵
PID:7156

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6168

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 560
5⤵
PID:6200

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6308

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6376 -s 556
5⤵
PID:6408

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6460

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6464

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6688

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 560
5⤵
PID:6776

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6812

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 556
5⤵
PID:6888

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 556
5⤵
PID:6224

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6964

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7088

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 556
5⤵
PID:5884

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5712

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6404

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 556
5⤵
PID:5760

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6632

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 560
5⤵
PID:6880

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6764

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 560
5⤵
PID:7096

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6812

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6332

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 556
5⤵
PID:6896

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6724

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7036 -s 560
5⤵
PID:6364

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5576

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6660 -s 556
5⤵
PID:6388

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6916

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 560
5⤵
PID:7140

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6140

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 556
5⤵
PID:6732

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6460

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6728 -s 560
5⤵
PID:6828

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5872

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7192 -s 556
5⤵
PID:7248

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7308

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 556
5⤵
PID:7396

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7460 -s 556
5⤵
PID:7508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 560
4⤵
PID:7364

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7568

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7604

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7668

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7696

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7820

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7776

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 560
5⤵
PID:7844

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7880

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7912

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7996

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 556
5⤵
PID:8064

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8100

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8132 -s 556
5⤵
PID:8184

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7228

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6612

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7356

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7432 -s 556
5⤵
PID:7468

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7480

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 556
5⤵
PID:7656

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7672

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7772 -s 556
5⤵
PID:7860

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8048

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8032

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8152

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 556
5⤵
PID:7340

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7668

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6868

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7376 -s 560
5⤵
PID:7444

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7576

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 560
5⤵
PID:7864

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7972

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7876 -s 556
5⤵
PID:7892

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8172

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7996 -s 556
5⤵
PID:7208

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7500

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7648 -s 556
5⤵
PID:7752

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7472

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7856 -s 560
5⤵
PID:7672

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7880

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7232 -s 556
5⤵
PID:8172

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7384

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8076

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8092

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7744

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7780 -s 556
5⤵
PID:7976

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8072

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7532 -s 556
5⤵
PID:7456

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7768

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 560
5⤵
PID:8000

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7144

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8196 -s 560
5⤵
PID:8228

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8276

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8308 -s 556
5⤵
PID:8344

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8388

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8424 -s 544
5⤵
PID:8464

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8532

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8556 -s 556
5⤵
PID:8600

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8644

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8676 -s 556
5⤵
PID:8752

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8780

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8808 -s 556
5⤵
PID:8852

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8888

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8920 -s 560
5⤵
PID:8972

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9012

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9056 -s 560
5⤵
PID:9108

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9136

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9164 -s 556
5⤵
PID:9212

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7768

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8332 -s 556
5⤵
PID:8500

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8564

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8640 -s 556
5⤵
PID:8668

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8692

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8788 -s 560
5⤵
PID:8820

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8908

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8380 -s 560
5⤵
PID:8940

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8236

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9148 -s 556
5⤵
PID:8336

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8376

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9024 -s 556
5⤵
PID:8656

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8568

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8880 -s 556
5⤵
PID:8860

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9028

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9016 -s 556
5⤵
PID:9124

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2752

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9172 -s 560
5⤵
PID:8388

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2176

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8280 -s 556
5⤵
PID:8724

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1508

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9000

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8876 -s 556
5⤵
PID:8716

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8836

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 556
5⤵
PID:8480

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:832

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8932 -s 564
5⤵
PID:8236

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8776

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7300 -s 556
5⤵
PID:9240

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9276

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9308 -s 560
5⤵
PID:9344

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9376

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9408 -s 556
5⤵
PID:9452

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9496

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9532 -s 560
5⤵
PID:9596

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9648

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9680 -s 556
5⤵
PID:9728

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9772

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9800 -s 556
5⤵
PID:9840

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9876

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9904 -s 560
5⤵
PID:9952

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9980

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10012 -s 556
5⤵
PID:10048

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10096

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10132 -s 556
5⤵
PID:10184

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10216

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9236 -s 560
5⤵
PID:9252

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9356

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9324 -s 556
5⤵
PID:9476

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9424

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9500 -s 556
5⤵
PID:9492

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9724

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9836 -s 556
5⤵
PID:9848

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9820

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9968 -s 556
5⤵
PID:9972

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10004

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10200 -s 556
5⤵
PID:9876

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8372

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9336 -s 556
5⤵
PID:9392

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9664

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9376 -s 556
5⤵
PID:9780

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2892

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9888 -s 556
5⤵
PID:9964

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10212

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9832 -s 560
5⤵
PID:8832

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2184

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9868 -s 556
5⤵
PID:9700

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9884

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9232 -s 556
5⤵
PID:9640

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9360

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10080 -s 556
5⤵
PID:2892

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10296

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10328 -s 556
5⤵
PID:10364

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10408

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10452 -s 556
5⤵
PID:10528

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10576

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10612 -s 556
5⤵
PID:10656

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10700

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10724 -s 556
5⤵
PID:10772

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10816

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10856 -s 560
5⤵
PID:10896

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10928

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10960 -s 556
5⤵
PID:11008

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:11068

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:11104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11104 -s 556
5⤵
PID:11144

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:11168

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:11200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11200 -s 556
5⤵
PID:11244

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10264

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9784 -s 560
5⤵
PID:10372

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10304 -s 556
5⤵
PID:10536

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10648

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10620 -s 556
5⤵
PID:10792

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10748

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10832 -s 556
5⤵
PID:11000

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10816

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:11092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11092 -s 556
5⤵
PID:11088

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:11240

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:11208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11208 -s 560
5⤵
PID:11224

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10264

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10512 -s 556
5⤵
PID:4100

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10604

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10672 -s 560
5⤵
PID:10868

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10952

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:11124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11124 -s 560
5⤵
PID:3472

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:1556

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:11196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11196 -s 556
5⤵
PID:11216

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10500

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10608 -s 556
5⤵
PID:10436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10712

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10924 -s 556
5⤵
PID:10264

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5228

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 556
5⤵
PID:10816

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:2836

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10348 -s 560
5⤵
PID:4368

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5936

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10988 -s 556
5⤵
PID:4128

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6068

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 556
5⤵
PID:932

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:10968

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 560
5⤵
PID:11228

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6244

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10664 -s 560
5⤵
PID:11068

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5948

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10936 -s 560
5⤵
PID:6928

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6640

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:11112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11112 -s 556
5⤵
PID:10884

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6692

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10440 -s 556
5⤵
PID:5376

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6500

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 560
5⤵
PID:2840

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7176

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7324 -s 556
5⤵
PID:7548

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7592

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10676 -s 556
5⤵
PID:7332

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7516

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:6640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 556
5⤵
PID:6768

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5576

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10500 -s 560
5⤵
PID:8176

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7328

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 556
5⤵
PID:1572

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7572

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 568
5⤵
PID:8004

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8352 -s 556
5⤵
PID:5872

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8044

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 556
5⤵
PID:8732

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7284

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8040 -s 560
5⤵
PID:9020

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5476

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8208 -s 556
5⤵
PID:8488

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:8664

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:10448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10448 -s 560
5⤵
PID:6632

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:5748

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7616 -s 560
5⤵
PID:9100

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7144

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7748 -s 560
5⤵
PID:5228

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:7744

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:8744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8744 -s 556
5⤵
PID:8504

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:6304

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:7720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7720 -s 560
5⤵
PID:4564

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /launchSelfAndExit "C:\Windows\System32\tаskmgr.exe" 2704 /protectFile
3⤵
PID:9580

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
4⤵
PID:9632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9632 -s 556
5⤵
PID:8748

C:\Windows\system32\taskeng.exe
taskeng.exe {875019F5-9068-4BBC-BACA-A9A23068B8A5} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\System32\tаskmgr.exe
C:\Windows\System32\tаskmgr.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 556
1⤵
- Loads dropped DLL
- Program crash
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 556
1⤵
- Loads dropped DLL
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 556
1⤵
- Loads dropped DLL
- Program crash
PID:452

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 556
1⤵
- Loads dropped DLL
- Program crash
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 556
1⤵
- Loads dropped DLL
- Program crash
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 556
1⤵
- Loads dropped DLL
- Program crash
PID:1812

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
PID:1808

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 556
2⤵
- Loads dropped DLL
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 560
1⤵
- Loads dropped DLL
- Program crash
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 556
1⤵
- Loads dropped DLL
- Program crash
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 536
1⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 556
1⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 556
1⤵
- Program crash
PID:1796

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 556
2⤵
- Program crash
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 712 -s 556
1⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 556
2⤵
- Program crash
PID:1564

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 564
2⤵
- Program crash
PID:1744

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 556
2⤵
- Program crash
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 556
1⤵
- Program crash
PID:2436

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 556
2⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 556
1⤵
- Program crash
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 556
1⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 556
1⤵
- Program crash
PID:1604

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 556
2⤵
- Program crash
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 556
1⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 556
2⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 556
1⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 560
1⤵
- Executes dropped EXE
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 560
2⤵
- Program crash
PID:3176

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 556
2⤵
- Program crash
PID:3296

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 556
2⤵
- Program crash
PID:3396

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 556
2⤵
- Program crash
PID:3500

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 556
2⤵
- Program crash
PID:3604

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 556
2⤵
- Program crash
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 556
1⤵
- Program crash
PID:3848

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 556
2⤵
- Program crash
PID:3948

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 556
2⤵
- Program crash
PID:4052

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 556
2⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 556
1⤵
- Program crash
PID:2216

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 556
2⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 556
1⤵
- Program crash
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 556
1⤵
- Program crash
PID:3732

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 556
2⤵
- Program crash
PID:3964

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 548
2⤵
- Program crash
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 560
2⤵
PID:3672

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 560
2⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 560
1⤵
PID:3940

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 560
2⤵
PID:3492

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 556
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 560
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 556
2⤵
PID:4336

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 556
2⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 556
1⤵
PID:4756

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 556
2⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 556
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 560
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 556
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 540
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 560
1⤵
PID:4376

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 556
2⤵
PID:4552

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 556
2⤵
PID:4628

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4104

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 556
1⤵
PID:4260

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 560
1⤵
PID:5116

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4640

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 556
2⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 556
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 556
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 556
1⤵
PID:4816

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4812

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 556
2⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 556
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 560
1⤵
PID:5460

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 556
2⤵
PID:5580

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 560
2⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 556
1⤵
PID:5772

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5740

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5424

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 556
2⤵
PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 560
1⤵
PID:5304

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 560
2⤵
PID:5564

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5612 -s 556
2⤵
PID:5656

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 556
2⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 556
1⤵
PID:5220

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 556
2⤵
PID:5728

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 556
2⤵
PID:5864

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 556
2⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 556
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 556
1⤵
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 556
1⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 560
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 556
1⤵
PID:3280

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 556
2⤵
PID:6356

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6440 -s 556
2⤵
PID:6476

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 556
2⤵
PID:6568

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6648 -s 556
2⤵
PID:6680

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 556
2⤵
PID:6784

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6976 -s 564
2⤵
PID:7020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 556
1⤵
PID:6528

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:6972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 556
2⤵
PID:6712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7696 -s 556
1⤵
PID:7732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7604 -s 556
1⤵
PID:7636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7912 -s 556
1⤵
PID:7936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6612 -s 556
1⤵
PID:6812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7820 -s 560
1⤵
PID:7900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8032 -s 556
1⤵
PID:8036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8076 -s 556
1⤵
PID:7704

C:\Users\Admin\AppData\Roaming\smss.exe
"C:\Users\Admin\AppData\Roaming\smss.exe" /watchProcess "C:\Windows\System32\tаskmgr.exe" 2704 "/protectFile"
1⤵
PID:9188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9188 -s 560
2⤵
PID:8168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3yscipsr.dll
Filesize
76KB

MD5
db4d8d03bf32ef380b687e1973906105

SHA1
6da85180a7c700d28e668aeea225c1ef90e156e5

SHA256
948798353418d4eb05dad55826c36e6ee7688176ac840a9511d2a63111a46f42

SHA512
00e59f598fd61e13a30cb0ec09b17e3b81bbf8674d2c5b2c6078daa490863e30630ff3d08d65450267c0227eebeef27f4e71f0117ddb0ae1ac3c41af621ff3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES147B.tmp
Filesize
1KB

MD5
2a707ea8ea9c6f99ae6ed44e80691f90

SHA1
95e426cde19228d2d32808db3d8bfb8902482534

SHA256
45d09a01a739c30ed49459eff324ba1f3da31097100c510489da71e5b0c8abeb

SHA512
7bb039403089fbcb08459faabf4770586f1e2cacdc9c1205c54a6e04577c0e447627e585f46feb175de0f348c91c2360faf748384345dcd39a22bd3470c277a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\err_d7904e4fe3184c208642abe8f5cf9293.dat
Filesize
1KB

MD5
9ebfc4dcf5de3201590415767048658a

SHA1
f54762badea9985734058ba8e8f6559ec5d8e890

SHA256
5ddcebf1d46d24f55451a0990ca8f8f1f12555c47408d9fb9b1823527eccf515

SHA512
d265b5e7f636158dc1335268794c3aa08d65108f2e7d60ab6f68428391b9d3eba8ecdcf4cde5a4fb37b05688953edab995ffef51f845d8758c9fbf010f5b1ccf

Download Submit
C:\Users\Admin\AppData\Roaming\smss.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\System32\tаskmgr.exe
Filesize
918KB

MD5
beff93c13a3839484a3248f3a1702516

SHA1
77d2620d977c1b7730a599da82efd7360898f309

SHA256
1407c316ae266116eff2a7c2f40d8d3508dba301f8175d498be69c9d48a311ca

SHA512
fdf7ad1b65283101b1852badc92d09507a82eb13771d0676452f712fa26b649f20b18d970cf7c5f9bd43bf87b9252bd2ae76d9e11ef1addc0778565342a19a28

Download Submit
C:\Windows\System32\tаskmgr.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3yscipsr.0.cs
Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3yscipsr.cmdline
Filesize
349B

MD5
1eb49b255e83e0a49670f8fbe7d5f6ee

SHA1
a8cc79157df15318f9ee829263cc36b4ec437f71

SHA256
a564487bef319f1f19c7b6b6708c1ea4037b42d60f5c62a084bcf701de67365e

SHA512
9ecd39cac9a83e9cba9629076f34febc9b188758637577fc2343ea923d5283a24a9b1cc881ed87b19d6af7f1a781c4b8abef35699574bd8531d147587f7a00a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC147A.tmp
Filesize
676B

MD5
b0ee3de7ec6fed662419f85ee9f30d05

SHA1
fff5ec73b6fc14c33e651e7027970814e894b9d9

SHA256
60f7e95011e32e0c720424a4e12a62eab2120174d3139f29834b31936ce4db7b

SHA512
4060d6a2d3fb610d1dd393f367e7de790fed3269ebe389db9105ff80a3fb139d492cba6edb31be75df762f974123a43ac57935a722bfd13ebf51b9dbfb6af422

Download Submit
memory/1160-134-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1160-136-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1248-67-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1248-69-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1336-120-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-77-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1612-70-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-123-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-126-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-80-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1760-145-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1760-110-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1808-140-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1808-137-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-86-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2052-91-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2064-2-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-0-0x000000001AEC0000-0x000000001AF1C000-memory.dmp

Filesize
368KB

Download
memory/2064-27-0x0000000000A50000-0x0000000000AD0000-memory.dmp

Filesize
512KB

Download
memory/2064-17-0x000000001AF20000-0x000000001AF36000-memory.dmp

Filesize
88KB

Download
memory/2064-22-0x0000000000A50000-0x0000000000AD0000-memory.dmp

Filesize
512KB

Download
memory/2064-20-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2064-32-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-21-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2064-19-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2064-1-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2064-4-0x000007FEF5AE0000-0x000007FEF647D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-3-0x0000000000A50000-0x0000000000AD0000-memory.dmp

Filesize
512KB

Download
memory/2128-133-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2128-125-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-103-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-100-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2248-59-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2248-57-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2248-53-0x0000000001340000-0x0000000001348000-memory.dmp

Filesize
32KB

Download
memory/2348-112-0x0000000001340000-0x0000000001348000-memory.dmp

Filesize
32KB

Download
memory/2348-111-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2348-115-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-141-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2428-143-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2652-55-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/2652-147-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-104-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/2652-102-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-54-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2688-66-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-58-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-42-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/2704-36-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2704-88-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2704-45-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2704-34-0x00000000009F0000-0x0000000000ADC000-memory.dmp

Filesize
944KB

Download
memory/2704-93-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2704-41-0x000000001AF90000-0x000000001B010000-memory.dmp

Filesize
512KB

Download
memory/2704-40-0x0000000002180000-0x0000000002198000-memory.dmp

Filesize
96KB

Download
memory/2704-39-0x0000000000630000-0x000000000067E000-memory.dmp

Filesize
312KB

Download
memory/2704-79-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-35-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-146-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-144-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2796-92-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2796-90-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-142-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-139-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download