e7ccb818b4b93a355302324a6abfedc99d38aa6db3464a3fbcce0b7903b06032

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
Size

262KB
MD5

022e4768ba89476aa337f533e80fa0f0
SHA1

259682aee68710e452c0136920991dd71bc54b80
SHA256

e7ccb818b4b93a355302324a6abfedc99d38aa6db3464a3fbcce0b7903b06032
SHA512

fa2f6568350a114f35c0a5d2b00dd6bec93f6d4cc08e48a32b5b9e27fa58e9a3ef27c3c26b422b341a2affc891ec412791ac9b4516dac8adaaa6245ea2b86f07
SSDEEP

6144:MdZU6ZyznmkfANv494D83X5DAzMUVOv0KEEMHHEMH:Ka6Z+nmkfANv494D83X28nMEM

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	wmisecure64.exe

Deletes itself 1 IoCs

pid	Process
4676	Objects.exe

Executes dropped EXE 64 IoCs

pid	Process
4676	Objects.exe
2484	wmiintegrator.exe
2204	wmihostwin.exe
2408	wmimic.exe
4308	wmisecure.exe
228	wmisecure64.exe
4112	wmisecure.exe
212	wmisecure64.exe
2508	wmisecure.exe
2324	wmisecure64.exe
4148	wmisecure.exe
3940	wmisecure64.exe
3224	wmisecure.exe
2368	wmisecure64.exe
4400	wmisecure.exe
4408	wmisecure64.exe
4472	wmisecure.exe
4116	wmisecure64.exe
2376	wmisecure.exe
4716	wmisecure64.exe
3700	wmisecure.exe
4240	wmisecure64.exe
2544	wmisecure.exe
3544	wmisecure64.exe
1668	wmisecure.exe
4760	wmisecure64.exe
4044	wmisecure64.exe
1384	wmisecure.exe
3228	wmisecure.exe
4736	wmisecure64.exe
4544	wmisecure.exe
3336	wmisecure64.exe
5024	wmisecure.exe
3944	wmisecure64.exe
4112	wmisecure.exe
4148	wmisecure64.exe
3056	wmisecure.exe
3304	wmisecure64.exe
1276	wmisecure.exe
3156	wmisecure64.exe
2792	wmisecure.exe
392	wmisecure64.exe
4720	wmisecure.exe
2912	wmisecure64.exe
2896	wmisecure.exe
952	wmisecure64.exe
1756	wmisecure.exe
1148	wmisecure64.exe
4624	wmisecure.exe
3972	wmisecure64.exe
4464	wmisecure.exe
1668	wmisecure64.exe
916	wmisecure64.exe
3716	wmisecure.exe
3624	wmisecure.exe
4548	wmisecure64.exe
456	wmisecure.exe
3800	wmisecure64.exe
4360	wmisecure.exe
4536	wmisecure64.exe
1632	wmisecure.exe
2316	wmisecure64.exe
3756	wmisecure.exe
2876	wmisecure64.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KeybordDriver = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Objects\\wmimic.exe\" winstart"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	Objects.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
4676	Objects.exe
4676	Objects.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2408	wmimic.exe
2408	wmimic.exe
2408	wmimic.exe
2408	wmimic.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2408	wmimic.exe
2408	wmimic.exe
2408	wmimic.exe
2408	wmimic.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2408	wmimic.exe
2408	wmimic.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2408	wmimic.exe
2408	wmimic.exe
2204	wmihostwin.exe
2204	wmihostwin.exe
2484	wmiintegrator.exe
2484	wmiintegrator.exe
2408	wmimic.exe
2408	wmimic.exe
2408	wmimic.exe
2408	wmimic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 4676	376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe	85
PID 376 wrote to memory of 4676	376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe	85
PID 376 wrote to memory of 4676	376	022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe	85
PID 4676 wrote to memory of 2484	4676	Objects.exe	86
PID 4676 wrote to memory of 2484	4676	Objects.exe	86
PID 4676 wrote to memory of 2484	4676	Objects.exe	86
PID 2484 wrote to memory of 2204	2484	wmiintegrator.exe	88
PID 2484 wrote to memory of 2204	2484	wmiintegrator.exe	88
PID 2484 wrote to memory of 2204	2484	wmiintegrator.exe	88
PID 2204 wrote to memory of 2408	2204	wmihostwin.exe	89
PID 2204 wrote to memory of 2408	2204	wmihostwin.exe	89
PID 2204 wrote to memory of 2408	2204	wmihostwin.exe	89
PID 2408 wrote to memory of 4308	2408	wmimic.exe	90
PID 2408 wrote to memory of 4308	2408	wmimic.exe	90
PID 2408 wrote to memory of 4308	2408	wmimic.exe	90
PID 2408 wrote to memory of 228	2408	wmimic.exe	91
PID 2408 wrote to memory of 228	2408	wmimic.exe	91
PID 2408 wrote to memory of 228	2408	wmimic.exe	91
PID 228 wrote to memory of 4008	228	wmisecure64.exe	93
PID 228 wrote to memory of 4008	228	wmisecure64.exe	93
PID 228 wrote to memory of 4008	228	wmisecure64.exe	93
PID 228 wrote to memory of 3400	228	wmisecure64.exe	95
PID 228 wrote to memory of 3400	228	wmisecure64.exe	95
PID 228 wrote to memory of 3400	228	wmisecure64.exe	95
PID 228 wrote to memory of 2308	228	wmisecure64.exe	97
PID 228 wrote to memory of 2308	228	wmisecure64.exe	97
PID 228 wrote to memory of 2308	228	wmisecure64.exe	97
PID 228 wrote to memory of 4928	228	wmisecure64.exe	99
PID 228 wrote to memory of 4928	228	wmisecure64.exe	99
PID 228 wrote to memory of 4928	228	wmisecure64.exe	99
PID 2408 wrote to memory of 4112	2408	wmimic.exe	101
PID 2408 wrote to memory of 4112	2408	wmimic.exe	101
PID 2408 wrote to memory of 4112	2408	wmimic.exe	101
PID 2408 wrote to memory of 212	2408	wmimic.exe	102
PID 2408 wrote to memory of 212	2408	wmimic.exe	102
PID 2408 wrote to memory of 212	2408	wmimic.exe	102
PID 2408 wrote to memory of 2508	2408	wmimic.exe	103
PID 2408 wrote to memory of 2508	2408	wmimic.exe	103
PID 2408 wrote to memory of 2508	2408	wmimic.exe	103
PID 2408 wrote to memory of 2324	2408	wmimic.exe	104
PID 2408 wrote to memory of 2324	2408	wmimic.exe	104
PID 2408 wrote to memory of 2324	2408	wmimic.exe	104
PID 2408 wrote to memory of 4148	2408	wmimic.exe	105
PID 2408 wrote to memory of 4148	2408	wmimic.exe	105
PID 2408 wrote to memory of 4148	2408	wmimic.exe	105
PID 2408 wrote to memory of 3940	2408	wmimic.exe	106
PID 2408 wrote to memory of 3940	2408	wmimic.exe	106
PID 2408 wrote to memory of 3940	2408	wmimic.exe	106
PID 2408 wrote to memory of 3224	2408	wmimic.exe	107
PID 2408 wrote to memory of 3224	2408	wmimic.exe	107
PID 2408 wrote to memory of 3224	2408	wmimic.exe	107
PID 2408 wrote to memory of 2368	2408	wmimic.exe	108
PID 2408 wrote to memory of 2368	2408	wmimic.exe	108
PID 2408 wrote to memory of 2368	2408	wmimic.exe	108
PID 228 wrote to memory of 3808	228	wmisecure64.exe	109
PID 228 wrote to memory of 3808	228	wmisecure64.exe	109
PID 228 wrote to memory of 3808	228	wmisecure64.exe	109
PID 2408 wrote to memory of 4400	2408	wmimic.exe	111
PID 2408 wrote to memory of 4400	2408	wmimic.exe	111
PID 2408 wrote to memory of 4400	2408	wmimic.exe	111
PID 2408 wrote to memory of 4408	2408	wmimic.exe	112
PID 2408 wrote to memory of 4408	2408	wmimic.exe	112
PID 2408 wrote to memory of 4408	2408	wmimic.exe	112
PID 2408 wrote to memory of 4472	2408	wmimic.exe	113

C:\Users\Admin\AppData\Local\Temp\022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Roaming\Objects.exe
  "C:\Users\Admin\AppData\Roaming\Objects.exe" C:\Users\Admin\AppData\Local\Temp\022e4768ba89476aa337f533e80fa0f0_JaffaCakes118.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe
    "C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe" unk
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe
      "C:\Users\Admin\AppData\Roaming\Windows Objects\wmihostwin.exe" unk2
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe" unk3
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4308
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3400
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3808
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3420
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4516
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:3004
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4112
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:1796
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4432
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "KeybordDriver" /t REG_SZ /d "\"C:\Users\Admin\AppData\Roaming\Windows Objects\wmimic.exe\" winstart" /f
        7⤵
        Adds Run key to start application
        
        PID:2460
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4112
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:212
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:2508
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:2324
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4148
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:3940
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:3224
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:2368
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4400
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4408
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4472
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4116
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:2376
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4716
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:3700
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4240
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:2544
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:3544
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:1668
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4760
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:1384
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4044
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:3228
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4736
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4544
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:3336
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:5024
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:3944
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4112
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4148
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:3056
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:3304
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:1276
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:3156
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:2792
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:392
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4720
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:2912
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:2896
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:952
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:1756
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:1148
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4624
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:3972
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4464
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:1668
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:3716
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:916
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:3624
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4548
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:456
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:3800
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:4360
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:4536
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:1632
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:2316
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        Executes dropped EXE
        
        PID:3756
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        Executes dropped EXE
        
        PID:2876
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4572
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4240
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4112
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1276
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1856
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2792
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1940
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4656
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2692
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3372
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3444
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1428
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:780
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1964
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2464
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2996
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4284
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3452
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2072
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4000
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4468
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:696
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4116
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2736
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4312
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3252
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3636
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3688
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4252
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4876
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3680
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2184
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1148
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4624
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2288
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3440
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1428
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3272
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2940
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:116
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:700
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1992
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3956
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:820
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3984
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3448
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4440
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2904
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3004
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2948
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4912
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2880
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3944
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:696
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1948
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3404
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4852
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2792
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2196
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3640
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3684
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4744
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:872
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4184
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3032
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1108
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4380
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3400
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3440
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3420
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3204
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4712
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4532
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4436
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2376
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4716
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2100
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1720
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1632
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2072
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:408
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1672
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2812
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:568
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1968
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3328
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2896
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:652
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4308
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3860
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1244
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4664
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1728
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:5040
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1336
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2416
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4856
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2384
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1108
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3420
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3664
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2368
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4704
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4488
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4016
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4468
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4008
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:452
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4716
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:696
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1856
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4332
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1404
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4916
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4272
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4656
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:568
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:412
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1988
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3804
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2696
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4172
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3500
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3572
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4496
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2308
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2972
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2084
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2500
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3668
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2268
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:964
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4712
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1560
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4856
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1728
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2232
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2644
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1640
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2368
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:452
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4540
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:5064
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4876
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4044
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2300
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2184
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3188
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3336
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3172
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1948
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2504
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3504
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4696
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4740
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1428
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4404
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3272
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1992
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3184
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3980
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3244
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3368
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3204
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4620
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3556
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3704
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4244
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4000
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3436
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3756
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3708
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:404
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4108
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1964
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4700
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3880
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1784
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:5064
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1584
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1092
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1988
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1244
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:880
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3176
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4308
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3884
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2400
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4376
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4992
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:988
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3512
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3260
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4380
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1688
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3124
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:400
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3448
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3080
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3920
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2544
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1620
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4084
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3620
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2232
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3868
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1604
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3968
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2644
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2604
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3972
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2368
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2184
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2792
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1088
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3624
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:1352
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3616
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2032
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4356
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:956
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:4496
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:4536
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:2500
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:3884
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe" autorun
        6⤵
        
        PID:3556
      - C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe" execute
        6⤵
        
        PID:2096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\wmisecure.exe.log

Filesize
128B

MD5
a5dcc7c9c08af7dddd82be5b036a4416

SHA1
4f998ca1526d199e355ffb435bae111a2779b994

SHA256
e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5

SHA512
56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

Download Submit
C:\Users\Admin\AppData\Roaming\Objects.exe

Filesize
262KB

MD5
09c828cd86c64e2c6ee84a7cb01ea896

SHA1
62eedd2538974acca314ad8e162ec3df4a4bb5e4

SHA256
e765bfdd855bc1578baa656aa9be5f91e3f00b2a3c2b95d016b417b37fdcd978

SHA512
98a05f3955f775353a6e2031f7f66c723b1315e9367a68f4411626fffb2229976d3b223f2179d2070a52f4c223425f445ca413b910787b949616de81ae2e2669

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmiintegrator.exe

Filesize
262KB

MD5
5d82a5a1f50c85475233c77fa7289ccc

SHA1
f99d8f69fcf37ff3d50abda95c1c87b0eecdd00e

SHA256
0aefe804a7c94440fa6c38b8041181213da0e9c63516a67f239c4b562e66fbeb

SHA512
941ec0127bb68a5a4dae8de9d8bfa6cd896f4d2af006f0ee033153f616e2c164292de85f2e36a8bb211e7dfc338bc580ff705e127da07722c63a0b6c59a94956

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
5303bf0d5682aa0a4d453a12b88ca01a

SHA1
5555b7ba23d4e066430236bf4ced0b167ea119a0

SHA256
1db958a29510fa1e16848cf2f9760d9ad5f7ed3feb0deb5e72500bb9b97e4e8b

SHA512
27756c5eb3aab1f2c8c8d01d5cf024f0332d29a1888ade3c656fe94412aa26166ce7dd0ed40a8cec9508afb794019c55f4b5420a40cafadc6ff8ae2c2c73c98f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
d80f50953158dda487dfbf95b412b984

SHA1
9ebea350b7f5d1a45708de073fda808d92c584c7

SHA256
552c7a6f506e3025c90a308d62994aca573da80c7a2d07831bf87485cbf38a61

SHA512
2c9d4bb69bc9b7d8dbe4ad3ee37aa1f06a4f46e4de11065fdf3e5dd7ce53814b1c7795d3f7997c3ba6f15f4cb25492414574169fc11df96376ef9bdb8abbb4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
a0973d172ddec0519a40d8f39ae63eb1

SHA1
2be8f0cc97491237400ce00e2ca5d2fae8f0020c

SHA256
c366f8d5cf0395247fcaef116b6998703565a49b60d5947a0f71dc384fba537e

SHA512
8f4848bd13276c25965fea524d1fdbe907d677bacc36014b1fe7ec58cb0591e687f6353c112cf58c52c397e011baf71936a3608ea776989de05a9d7bc23e7836

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
146b43e2c1981cc8ddf63b8a900418fc

SHA1
24186a0054898b8c5cb263ee1ad1b8e714cab99f

SHA256
d1f8b605bf168936e898522370c11da3d244da9019baa449b9ec7bac7375e1f6

SHA512
87eb25ee236bdb1319663d06f8038a70475551297e3da84f5a9e60273a982fea511a102c25d4eea10e49f7bcafaf9b02323297f4f83a9a98c54d3a3f4108b6ad

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
940ef1775302bbb2d11cbafeb7b85a43

SHA1
faf9ba28bf71abc7380d67b5866c5a785b8d5860

SHA256
53b40140c5206f423d81d48a9741020d63bc833d4049380593033aa5e1dee4b1

SHA512
0becd5d83c5b55fdca087b1338572492d9b0977cade7ba4d3cd1ca19fe3a4a947ff157a91951a83cfabc6b9ddd1de0b7d331777d469fc5e594c65dcc36846d75

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
2fce2200c369b631aa0480b05d59b58e

SHA1
d9f2b501316c07859fdf5773f2a82ca78ad26436

SHA256
bf01bda8cf9e5d7728fae5317eae96b26fdd57324efe79a2e9c454cdf79234bc

SHA512
53f44ce2e2e198bb355e9221f91aa3d67232bc7431765b1dbd1e2a2fdfdb9fe9fcea29239d9208b3abc0ce70ea6023c58273f8049b0df5c5720c6a7e0aa6e650

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
9e1c40cd18cf82fff6434b25357bcd11

SHA1
f032bbc7610d119ab0fa52e797c0a75be35579bb

SHA256
151461a8cdc5cb166aca1e1284006a739028452ee03eb4cc94df367639605d4d

SHA512
df99e2d585dafa5b63940295576706d7ee5f58be3a8c97e5e33b81f792b0e1ab9383ff32bba5ad85a49263f0507b45d836d31327086e838e4eda1e068586d1c9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
e55c6969a8d6b0715b2648488934a59b

SHA1
436535e0cb6ba6db158041cfee1b593b3b2e5f21

SHA256
c9cadd0a1519475ae3ec100e2a4fa1ead0ca53055c279acd95d0484e6e28900d

SHA512
86cc18bb13b16453dc617dab3c830e22ab49cae932d8839f340a560e614921c92cdb1cced64ef10e6e92ccaab301f8d94fc6de2baa6687bb2b504b5cee26ae43

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
7328541c47f523b6597decb5b2e2d4fc

SHA1
93865710341440dd236a32cfb188447cdcf58460

SHA256
175c4156e2162d30999bd1a2eb4e342699faca2983e1d8083ccd5ead071eaa54

SHA512
25969f6fb976a7e1133bc2c78cd1a7e57df57fa8f6c08d972270546ee8491da4d31f8a7ab9b7a76a5f3d3283bb538c08437c2b8c844b43caead75b117579ca88

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
d87eeb72a249189ca3d234e089d17851

SHA1
c480f450fa68a6ac5b74371d29675d498c007a19

SHA256
0f549e62784eff890763b18ac7ed8edb7a66e477618f4579421ffbf129d81621

SHA512
025397d3810a4c0d98416af92b392f95455a35ac0ee856a4f1e7c720af807136debee48a0a3072c8f1522c1356aa17d20ed9df54a95b1aa640a099b09df8a256

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
d35dbe4ebd3adb78205392624911baa4

SHA1
2700c4f4a648040f6fdab905c0e3dd792a435ba7

SHA256
133180a87422aed352bee968a4e89d8d99e77d679b15e033e4ba34cdf26722c9

SHA512
6bc408d9073eaae3f0c531deca84161bee9a438906b1734af8326c080e604a6dbbb681cfff45588d4b43e289c928c341ee3bac6078f6f17653492a7d7d2017a9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
6829a7ac2e5af5f836e93d86e48a28b0

SHA1
c9c47629c0856258e1afbea6918cd74895feee0e

SHA256
f15c095d9ebfa3590e8b9cd6e12d551456fafdd78bdef9b43a07dfa6a9068f81

SHA512
497c600aa7adcc643c89579c439e3dd9157a3e34d042d62e51a9d9ac54ea16fa5bee4000de4229ffab1b96da673bc57a84b388c9068e66c49bb54f2d693560df

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
38132dcba2327a38a60ac7d26aea2833

SHA1
eddfa9dc367a6b97e6666c71e7a63fe6e9157b10

SHA256
130ca4b1830f257dfd22a1244d49647382751d2e52dca0b3e2fcbfe1a68d86f0

SHA512
b36ce4679c83e79ea7db43381f9dd074c39946cf801ae2de59448b0a259b56ecdaf721f316e51fa8581005e33bfe50f672e5df10b1cfac4ab826d7a909439e62

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
efd1c1654f5bd05d63f98b2ea933e3bb

SHA1
f3cc007682b3091f150b9028339ef4604c4e3738

SHA256
3b2f57b025ae368cb278b07fa6a43911cb16b4672a5393857a4eed78790746ae

SHA512
78e7b880a7b13996456ad254ddd9bc0e79ffc1b9c964f4cac74abb364a01fd0b9d30e8401fd02ac2db4ecfc0442a1a6ba05523854bdf921482c25f2855e9474a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
b87ac57c4c11b84e00d26c9c8c86fb90

SHA1
2800c8c343ef0ac8febf2da032a0a54f946b5484

SHA256
9e130285b2a72d67800170fa4c809260c8c0b4f3aeb85a4420f884275fe9b600

SHA512
6e593053a8506d28196edae9179df4b610e95788440e228dc5bfc269f0309803511cf942479b03f846307d1d5b493be7cfda1ed954d7e88565b466c1d6ac303d

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
9981ca5a0d195c2eecefda479f7aae17

SHA1
82a527eceee1587eab73b2d27e8fd123c9339d68

SHA256
dfa46636b04fa442cdbedc5ea3eb0338504272fe35623b9442ab0bb8262b8357

SHA512
6d1b7ab6045176c6b97ca88868eb8422bf2426fb3ccb5cc1384d0153cf3376098831a9acbf8001eac800251414c4840ce306636d1a31fb5458ce0f75bc948026

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure.exe

Filesize
262KB

MD5
7f1320397905de2f11b50f3c27e51286

SHA1
a500eff4eaf2645b9a006c29fd1200cf2048309e

SHA256
3208438e7783faabf50d6d41c13c11daaf8cf8cd797c985bf970958fbb6fa782

SHA512
27ba1e74206af366ec900d13d0ff7688826d30100601df5c8c5562e853755e149ec9a4a1ca7663d6428b994687f441ef5dbdb8e4b5c59b1ffac5ef7f1d28c90e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Objects\wmisecure64.exe

Filesize
262KB

MD5
3046e58e13e09a8fb93224ab63e6bfdf

SHA1
85179306479fd18689a43685fed3312722288f2f

SHA256
d1d651fe43a9059247b61c32a905cbf8361f88edcbde33a78b6381971013837c

SHA512
709998d5bc56868ba6ccceeba747cd899673db8fc635a80bf26ed57175130bcf0f7d33dfa04d25652151c4962b24ca6135deb8b2d29483aaa4f003c9c6a5dafd

Download Submit
memory/376-2-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/376-13-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/376-0-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/376-1-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/2484-24-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2484-18-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/2484-22-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2484-23-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/2484-41-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2484-40-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2484-39-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4676-9-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4676-11-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download
memory/4676-10-0x0000000002C30000-0x0000000002C40000-memory.dmp

Filesize
64KB

Download
memory/4676-30-0x0000000074120000-0x00000000746D1000-memory.dmp

Filesize
5.7MB

Download