lockergoga | eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0

Analysis

max time kernel
23s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/03/2024, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

230108-mnsp1add24.exe
Size

1.2MB
MD5

16bcc3b7f32c41e7c7222bf37fe39fe6
SHA1

a25bc5442c86bdeb0dec6583f0e80e241745fb73
SHA256

eda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0
SHA512

f3e7087f569b3bcc201c006c5dfcea6cf560cad480bc03e6f17790190bc35bf6659e91a9f91219952bd139a3c9afde961032ee1d0861158409206feaa6540f9e
SSDEEP

24576:uj/6CtkHRos9l+zan4Q6eQqF5ZgQibE2zkMiJHic9OuTw258tox6T9G0SKoRl:A/NtkHRos9l+zan4QTB/2zkPtBq2itoP

Score

10^/10

lockergoga banker persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga
Renames multiple (623) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\92721896\3830810798.pri	svchost.exe
File created	C:\Windows\rescache\_merged\1712550052\1801701463.pri	svchost.exe
File created	C:\Windows\rescache\_merged\2928961003\625926146.pri	svchost.exe
File created	C:\Windows\rescache\_merged\2137598169\2880039969.pri	svchost.exe
File created	C:\Windows\rescache\_merged\3479232320\854511425.pri	svchost.exe
File created	C:\Windows\rescache\_merged\4278325366\3921279526.pri	svchost.exe
File created	C:\Windows\rescache\_merged\431186354\2167966996.pri	svchost.exe
File created	C:\Windows\rescache\_merged\2562634990\3333832120.pri	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2212	2144	WerFault.exe	115
4136	3984	WerFault.exe	212
628	408	WerFault.exe	236
1260	2076	WerFault.exe	292
1536	1512	WerFault.exe	443
776	2764	WerFault.exe	622
3068	2796	WerFault.exe	775

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-oobenetwork\AppXtkjk7ve8gcvsz7s2y4kkf56wrmb5edr7	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2t = "App.AppX6m2hjgpy7aa1w41x809a5syrn7kfjgp3.mca"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.wdp\AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.htm\AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-print-addprinter\AppX0enk2acdsmv8ydhntbtea6yjp27223q6	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\com.microsoft.3dviewer\AppXztymbw55c24qp3qfb1jac0r6a8w3rtfq	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Microsoft.ScreenSketch_8wekyb3d8bbwe!App\windows.fileTypeAssociation\.g	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.SkypeApp_kzf8qxf38zg5c!App\windows.protocol\skypewin	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXe862j7twqs4aww05211jaakwxyfjx4da	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Windows.PrintDialog_6.2.1.0_neutral_neutral_cw5n1h2txyewy\Windows.PrintDialog_cw5n1h2txyewy!Microsoft.Windows.PrintDialog\window = "Add a printer"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.jfif	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\armodelviewing\AppX8mg1ky09gvfdexfmk8e77463mz4j1xcp	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Microsoft.ScreenSketch_8wekyb3d8bbwe!App\windows.fileTypeAssociation\.o = "Assets\\FileAssociation\\FileAssociation.png"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppX3p914qnpgw4hwj856jw2y286v7d4qnzh	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppX4jbzrhvphxte25e0gxha6bq555nrgqzy	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXn8vagw663cz9m3j0rmkddxpbq9x0716k	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.c5e2524a-ea46-4f67-841f-6a9465d9d515	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-getoffice	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.rw2\AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.svg\AppXde74bfzw9j31bzhcvsrxsyjnhhbq66cs	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Windows.SecureAssessmentBrowser_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\Microsoft.Windows.SecureAssessmentBrowse = "App.AppX90m889wv56yt2vfqvrd2hvhc98qatn3e.mca"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.OBJ\AppXmgw6pxxs62rbgfp9petmdyb4fx7rnd4k	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.erf	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe!Microsoft.Microsoft3DView = "C:\\Program Files\\WindowsApps\\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\\Assets\\Square44x44LogoExtensions.targetsize-256.png"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-officecmd	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Microsoft.ScreenSketch_8wekyb3d8bbwe!App\windows.fileTypeAssociation\.e = "App.AppX99naa8pv4a8nkjghzyt7drksgwxwbtsg.mca"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.dng\AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\skype	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge\windows.proto = "MicrosoftEdge.AppXrwh8xyerps7kqvjsngqmvwenddpt3g5w.mca"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXpzkxgsbx9mzsg8kedsrg63eqxykxrtcx	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\Microsoft.Windows.ShellExperienceHost_cw5n1h = "Meet Now Flyout"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXzcmrn7q3gmakk1ffkbr4s3d27qwjdtbt	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\http\AppXq0fevzme2pys62n3e0fbqa7peapykr8v	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.GLTF	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Microsoft.ScreenSketch_8wekyb3d8bbwe!App\windows.fileTypeAssociation\.s = "App.AppX99naa8pv4a8nkjghzyt7drksgwxwbtsg.mca"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy!Ap = "App.AppXc99k5qnnsvxj5szemm7fp3g7y08we5vm.mca"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXmgw6pxxs62rbgfp9petmdyb4fx7rnd4k	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.19041.1023_neutral__cw5n1h2txyewy\Microsoft.Windows.OOBENetworkCaptivePortal_cw5 = "App.AppX0yv8qc1nfyqaj69wdxr295x53jywmh2n.mca"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXxfctf2rqj6c7b4wrvys6zq1bskprrn19	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\tel\AppXvvr0sjtc34r6nk4mhn2e608s2xp2tezg	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXreyvazcs64j2pgtpwyt49g6ce85mwrwg	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Microsoft.SkypeApp_kzf8qxf38zg5c!App\windows.protocol\tel\ACID = "App.AppX15fre6jwz683kpabzkh5zkgqerwq1me9.mca"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge\windows.proto = "MicrosoftEdge.AppX5m9j1zzanr7veve4dts7f981jdwycqt7.mca"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-contact-support	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.3MF\AppXmgw6pxxs62rbgfp9petmdyb4fx7rnd4k	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge\windows.proto = "C:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Assets\\MicrosoftEdgeFile.targetsize-256.png"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-cxh\AppX3p914qnpgw4hwj856jw2y286v7d4qnzh	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-print-printjobs\AppXqmt9n48kdgabchqtfjw3a4n5as0gk0vt	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.tif\AppX2jm25qtmp2qxstv333wv5mne3k5bf4bm	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe!Microsoft.Microsoft3DView = "Microsoft.Microsoft3DViewer.AppXway10xa76g14zsxa9tnk43nygrwvgdvf.mca"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\onenote-cmd\AppXn8vagw663cz9m3j0rmkddxpbq9x0716k	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXqg3xs3h3sbq285086k5jcab5aawtt9zw	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-eyecontrolspeech	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-appinstaller	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-officeapp	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Microsoft.ScreenSketch_8wekyb3d8bbwe!App\windows.fileTypeAssociation\.c	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.pef	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXq0fevzme2pys62n3e0fbqa7peapykr8v	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge\windows.fileT = "Assets\\MicrosoftEdgeFile.png"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	yxugwjud4632.exe
2692	yxugwjud4632.exe
216	yxugwjud4632.exe
216	yxugwjud4632.exe
4076	yxugwjud4632.exe
4076	yxugwjud4632.exe
2692	yxugwjud4632.exe
2692	yxugwjud4632.exe
4076	yxugwjud4632.exe
4076	yxugwjud4632.exe
4076	yxugwjud4632.exe
4076	yxugwjud4632.exe
2692	yxugwjud4632.exe
2692	yxugwjud4632.exe
1020	yxugwjud4632.exe
1020	yxugwjud4632.exe
2692	yxugwjud4632.exe
2692	yxugwjud4632.exe
4416	yxugwjud4632.exe
4416	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
4416	yxugwjud4632.exe
4416	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
4416	yxugwjud4632.exe
4416	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
4416	yxugwjud4632.exe
4416	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
4416	yxugwjud4632.exe
4416	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
3636	yxugwjud4632.exe
3636	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
3636	yxugwjud4632.exe
3636	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
3636	yxugwjud4632.exe
3636	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
3636	yxugwjud4632.exe
3636	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
3636	yxugwjud4632.exe
3636	yxugwjud4632.exe
2136	yxugwjud4632.exe
2136	yxugwjud4632.exe
3636	yxugwjud4632.exe
3636	yxugwjud4632.exe
3636	yxugwjud4632.exe
3636	yxugwjud4632.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3248	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	230108-mnsp1add24.exe
Token: SeBackupPrivilege	2836	230108-mnsp1add24.exe
Token: SeRestorePrivilege	2836	230108-mnsp1add24.exe
Token: SeLockMemoryPrivilege	2836	230108-mnsp1add24.exe
Token: SeCreateGlobalPrivilege	2836	230108-mnsp1add24.exe
Token: SeDebugPrivilege	2736	yxugwjud4632.exe
Token: SeBackupPrivilege	2736	yxugwjud4632.exe
Token: SeRestorePrivilege	2736	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	2736	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	2736	yxugwjud4632.exe
Token: SeDebugPrivilege	216	yxugwjud4632.exe
Token: SeBackupPrivilege	216	yxugwjud4632.exe
Token: SeRestorePrivilege	216	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	216	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	216	yxugwjud4632.exe
Token: SeDebugPrivilege	3888	yxugwjud4632.exe
Token: SeBackupPrivilege	3888	yxugwjud4632.exe
Token: SeRestorePrivilege	3888	yxugwjud4632.exe
Token: SeDebugPrivilege	3636	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	3888	yxugwjud4632.exe
Token: SeDebugPrivilege	2692	yxugwjud4632.exe
Token: SeBackupPrivilege	3636	yxugwjud4632.exe
Token: SeDebugPrivilege	1020	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	3888	yxugwjud4632.exe
Token: SeRestorePrivilege	3636	yxugwjud4632.exe
Token: SeBackupPrivilege	2692	yxugwjud4632.exe
Token: SeBackupPrivilege	1020	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	3636	yxugwjud4632.exe
Token: SeRestorePrivilege	2692	yxugwjud4632.exe
Token: SeRestorePrivilege	1020	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	3636	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	2692	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	1020	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	2692	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	1020	yxugwjud4632.exe
Token: SeDebugPrivilege	2976	yxugwjud4632.exe
Token: SeDebugPrivilege	4416	yxugwjud4632.exe
Token: SeDebugPrivilege	2136	yxugwjud4632.exe
Token: SeBackupPrivilege	2976	yxugwjud4632.exe
Token: SeBackupPrivilege	4416	yxugwjud4632.exe
Token: SeBackupPrivilege	2136	yxugwjud4632.exe
Token: SeRestorePrivilege	2136	yxugwjud4632.exe
Token: SeRestorePrivilege	2976	yxugwjud4632.exe
Token: SeRestorePrivilege	4416	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	2136	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	2976	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	4416	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	2136	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	2976	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	4416	yxugwjud4632.exe
Token: SeDebugPrivilege	4076	yxugwjud4632.exe
Token: SeBackupPrivilege	4076	yxugwjud4632.exe
Token: SeRestorePrivilege	4076	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	4076	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	4076	yxugwjud4632.exe
Token: SeDebugPrivilege	3004	yxugwjud4632.exe
Token: SeBackupPrivilege	3004	yxugwjud4632.exe
Token: SeRestorePrivilege	3004	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	3004	yxugwjud4632.exe
Token: SeCreateGlobalPrivilege	3004	yxugwjud4632.exe
Token: SeDebugPrivilege	1912	yxugwjud4632.exe
Token: SeBackupPrivilege	1912	yxugwjud4632.exe
Token: SeRestorePrivilege	1912	yxugwjud4632.exe
Token: SeLockMemoryPrivilege	1912	yxugwjud4632.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe
4304	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 3248	2836	230108-mnsp1add24.exe	89
PID 2836 wrote to memory of 3248	2836	230108-mnsp1add24.exe	89
PID 2836 wrote to memory of 2736	2836	230108-mnsp1add24.exe	91
PID 2836 wrote to memory of 2736	2836	230108-mnsp1add24.exe	91
PID 2836 wrote to memory of 2736	2836	230108-mnsp1add24.exe	91
PID 2736 wrote to memory of 2976	2736	yxugwjud4632.exe	92
PID 2736 wrote to memory of 2976	2736	yxugwjud4632.exe	92
PID 2736 wrote to memory of 2976	2736	yxugwjud4632.exe	92
PID 2736 wrote to memory of 2692	2736	yxugwjud4632.exe	93
PID 2736 wrote to memory of 2692	2736	yxugwjud4632.exe	93
PID 2736 wrote to memory of 2692	2736	yxugwjud4632.exe	93
PID 2736 wrote to memory of 216	2736	yxugwjud4632.exe	94
PID 2736 wrote to memory of 216	2736	yxugwjud4632.exe	94
PID 2736 wrote to memory of 216	2736	yxugwjud4632.exe	94
PID 2736 wrote to memory of 4416	2736	yxugwjud4632.exe	95
PID 2736 wrote to memory of 4416	2736	yxugwjud4632.exe	95
PID 2736 wrote to memory of 4416	2736	yxugwjud4632.exe	95
PID 2736 wrote to memory of 4076	2736	yxugwjud4632.exe	96
PID 2736 wrote to memory of 4076	2736	yxugwjud4632.exe	96
PID 2736 wrote to memory of 4076	2736	yxugwjud4632.exe	96
PID 2736 wrote to memory of 2136	2736	yxugwjud4632.exe	97
PID 2736 wrote to memory of 2136	2736	yxugwjud4632.exe	97
PID 2736 wrote to memory of 2136	2736	yxugwjud4632.exe	97
PID 2736 wrote to memory of 1020	2736	yxugwjud4632.exe	98
PID 2736 wrote to memory of 1020	2736	yxugwjud4632.exe	98
PID 2736 wrote to memory of 1020	2736	yxugwjud4632.exe	98
PID 2736 wrote to memory of 3636	2736	yxugwjud4632.exe	99
PID 2736 wrote to memory of 3636	2736	yxugwjud4632.exe	99
PID 2736 wrote to memory of 3636	2736	yxugwjud4632.exe	99
PID 2736 wrote to memory of 3888	2736	yxugwjud4632.exe	100
PID 2736 wrote to memory of 3888	2736	yxugwjud4632.exe	100
PID 2736 wrote to memory of 3888	2736	yxugwjud4632.exe	100
PID 2736 wrote to memory of 3004	2736	yxugwjud4632.exe	101
PID 2736 wrote to memory of 3004	2736	yxugwjud4632.exe	101
PID 2736 wrote to memory of 3004	2736	yxugwjud4632.exe	101
PID 2736 wrote to memory of 1912	2736	yxugwjud4632.exe	103
PID 2736 wrote to memory of 1912	2736	yxugwjud4632.exe	103
PID 2736 wrote to memory of 1912	2736	yxugwjud4632.exe	103
PID 2736 wrote to memory of 1716	2736	yxugwjud4632.exe	107
PID 2736 wrote to memory of 1716	2736	yxugwjud4632.exe	107
PID 2736 wrote to memory of 1716	2736	yxugwjud4632.exe	107
PID 2736 wrote to memory of 1412	2736	yxugwjud4632.exe	108
PID 2736 wrote to memory of 1412	2736	yxugwjud4632.exe	108
PID 2736 wrote to memory of 1412	2736	yxugwjud4632.exe	108
PID 2736 wrote to memory of 4876	2736	yxugwjud4632.exe	109
PID 2736 wrote to memory of 4876	2736	yxugwjud4632.exe	109
PID 2736 wrote to memory of 4876	2736	yxugwjud4632.exe	109
PID 2736 wrote to memory of 4332	2736	yxugwjud4632.exe	140
PID 2736 wrote to memory of 4332	2736	yxugwjud4632.exe	140
PID 2736 wrote to memory of 4332	2736	yxugwjud4632.exe	140
PID 2736 wrote to memory of 3028	2736	yxugwjud4632.exe	111
PID 2736 wrote to memory of 3028	2736	yxugwjud4632.exe	111
PID 2736 wrote to memory of 3028	2736	yxugwjud4632.exe	111
PID 2736 wrote to memory of 2984	2736	yxugwjud4632.exe	112
PID 2736 wrote to memory of 2984	2736	yxugwjud4632.exe	112
PID 2736 wrote to memory of 2984	2736	yxugwjud4632.exe	112
PID 2736 wrote to memory of 4936	2736	yxugwjud4632.exe	113
PID 2736 wrote to memory of 4936	2736	yxugwjud4632.exe	113
PID 2736 wrote to memory of 4936	2736	yxugwjud4632.exe	113
PID 2736 wrote to memory of 4760	2736	yxugwjud4632.exe	114
PID 2736 wrote to memory of 4760	2736	yxugwjud4632.exe	114
PID 2736 wrote to memory of 4760	2736	yxugwjud4632.exe	114
PID 2736 wrote to memory of 2144	2736	yxugwjud4632.exe	115
PID 2736 wrote to memory of 2144	2736	yxugwjud4632.exe	115

C:\Users\Admin\AppData\Local\Temp\230108-mnsp1add24.exe
"C:\Users\Admin\AppData\Local\Temp\230108-mnsp1add24.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\230108-mnsp1add24.exe C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
  C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3888
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4876
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4760
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 848
      4⤵
      Program crash
      PID:2212
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4976
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4496
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4012
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4828
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4156
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:796
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3276
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3432
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3684
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4956
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4900
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4528
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4944
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3792
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3284
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3576
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:736
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3520
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2512
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3536
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3776
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3736
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3800
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3664
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3200
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4528
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4132
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2484
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:8
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2092
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3216
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3940
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4480
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4356
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4740
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3104
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4944
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4940
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3984
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 708
      4⤵
      Program crash
      PID:4136
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4060
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1876
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1380
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2348
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3488
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1300
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 792
      4⤵
      Program crash
      PID:628
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:736
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4660
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4236
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1380
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1324
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3324
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1440
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5100
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:604
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4652
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3184
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3284
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4648
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3796
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4760
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4164
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 728
      4⤵
      Program crash
      PID:1260
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2488
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1304
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:468
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1832
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4860
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4728
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4312
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3476
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3276
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4436
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3356
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4160
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1124
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:796
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4740
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1148
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3000
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4056
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1744
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2956
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:432
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1872
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3912
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1356
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5052
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4048
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3080
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3776
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3720
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4748
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4252
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1688
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3100
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3324
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4528
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2956
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3500
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1652
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1160
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:932
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1096
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1440
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3492
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4144
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3516
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:408
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5076
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3576
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3312
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2092
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3728
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4920
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4240
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2484
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3720
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1404
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:396
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:808
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:264
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3652
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4012
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1180
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3492
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3932
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3820
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4968
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 704
      4⤵
      Program crash
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4460
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3960
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3824
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4204
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4472
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4836
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2800
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4984
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3324
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4636
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3156
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4980
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4524
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3968
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3684
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4780
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:744
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3984
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4088
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3912
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:560
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3236
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2548
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5036
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4020
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3184
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4036
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1396
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3824
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4324
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4176
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4748
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4636
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1380
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2548
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3912
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3520
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3384
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3184
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1324
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4004
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1188
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3200
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:396
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4924
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:764
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1228
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3428
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5064
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4452
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1124
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:264
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4176
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3940
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1148
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:808
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2256
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3900
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5020
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4636
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4164
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:60
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:372
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 708
      4⤵
      Program crash
      PID:776
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4240
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3980
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3420
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3440
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4204
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3956
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1784
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1252
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3236
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1880
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3772
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4532
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:372
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3180
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4476
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4740
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1876
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3980
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4780
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4324
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3372
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4348
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1048
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2956
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3800
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5060
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4388
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5076
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4984
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4636
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4252
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4916
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1544
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3648
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:408
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3428
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:604
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4132
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4924
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:836
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3172
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:548
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3928
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:464
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1400
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3576
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4728
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3912
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2956
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1048
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3432
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3844
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:836
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:436
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1188
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4160
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4532
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3364
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3616
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3776
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3236
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1892
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2108
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4280
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3316
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3812
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4676
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4180
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3448
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 624
      4⤵
      Program crash
      PID:3068
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1188
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3940
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4448
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3292
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4472
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3252
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3972
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4868
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4348
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3372
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4296
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3476
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1300
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3164
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:388
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3872
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2836
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3156
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3516
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1152
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3568
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4660
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1204
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2488
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:372
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud4632.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3732

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2144 -ip 2144
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3984 -ip 3984
1⤵
PID:920

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 408 -ip 408
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2076 -ip 2076
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1512 -ip 1512
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2764 -ip 2764
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2796 -ip 2796
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.locked

Filesize
289KB

MD5
02e6ae48b21fa72e75343d2575f848ab

SHA1
6d10a01b70784d5ba07480b18429e3dba2f8e2d5

SHA256
d28f28448b8a17e19f09c65471e3b176216b614b8cdd58340629e75f8d9251e7

SHA512
456394d4bd496a2b9d18b03a94ea2f29f46ffdb8018ca1bd6da55ca7dcb0953a1ae112a489ed73d1b9b0feebd0241337a5285beed8ae4eade0b0a827c4aa6fcc

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{B8885398-8BAD-41F1-86E1-CBE23D19A5D8}.2.ver0x0000000000000001.db.locked

Filesize
1KB

MD5
f857959330b2fad58a3d1737a8bacc48

SHA1
c84a22e5bf4013723290c64000604e03f9652134

SHA256
c9875fa45ea154346f5b77805715326052573d45fd1499e3b7f2e6301f52f083

SHA512
ba0fcb8238ac0f26d72bba25f29a4795f2246319fd1a8182433c02fb33649d8c4e4367589a94fb9fbbda75c17a0e4aa34a04616c1c4a0b25b995eddc88bd0cd8

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.locked

Filesize
623KB

MD5
32a1c73506f363dd0cb1c4fc362835fc

SHA1
432fa9e9229e99b0081cdaed2c611a6e22349018

SHA256
1ac75eb9b86f24950b3721e35774837026ed8cbf33906500dbca82f9b81cd1dd

SHA512
7e847a8fdb4170095afb33b3c7ce6e18e69b44d4ee2f71ce34f6c5607c312234551e0e7073c64aa5cf28d1f8c9abf476fc2994cfc7e00fb4516c12821485fc30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
ccdd7051f9067d00b98a4e5e2d4076f7

SHA1
cab1891c826f9bff0857db6137fa2bdd20573273

SHA256
398c2fcd8b2930167f53aad38b27300ca7b7708783ebcdcd9a3d40008da57626

SHA512
5c60a17bf3237e95f995eee43bb59c5008dfc7e86f75cfe90cada4eb5f3cf4e6d3c6c774063ec587480c8e23890a08ab73ab1bf98125354d81f2ec2ca238f92e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
624f1772c59b029aaadde33de03bb52a

SHA1
d763d1da461597ff18ade2fc1b9b40f9e4c0d210

SHA256
591391fec4aa162c417c1c7feb47b13eb21763aca01026f37f6f253bd2958fb5

SHA512
f25dd3220fd6bcb19f76248f09ab2b93177fd996d5995068d2a55885ac864964c75dfbd09f5694438efc0bf8402a005d0e44267f2930f6152b8337ebc2f6fcd8

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
bf41f65f8a5b7c27752368238ea18595

SHA1
4bbe26657dbfc8d5e57d2dbcf3d7f987094a8dbb

SHA256
544779e2ee93f79d33708e37f1b07817d5427f70895ce9c440125f2631acdf53

SHA512
3864ff7d0cd5e9f3c8425da83970d0e27b9e97c6d32b6159b6330367f1fa0daca2d1b2d169f417563827440020c99e983d6166b3aec845720140fc4ac3674335

Download Submit