ce7021c5dc853e3cece74530e9fd08b81b8741429b1d47ac4cdf692dfd2f41c7

Analysis

max time kernel
112s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54e88117c656fb33285d9dd3bd89469d.exe
Size

88KB
MD5

54e88117c656fb33285d9dd3bd89469d
SHA1

47cbd0e004c3819db03fd92626ad78e212989ae8
SHA256

ce7021c5dc853e3cece74530e9fd08b81b8741429b1d47ac4cdf692dfd2f41c7
SHA512

7aa07e4a1371c6e8b99414d775e3aa6701e63ac9f8d8b8386274aa86f59e6404c1f504bbd7e65c4e86fd13b9240a5e10c344f7ba93225cbda2dbc0b24712c001
SSDEEP

1536:tpQNpV60nIf4n8++GLSxYkUT7xN1ZGPf12nkYyMpnb2:nB0Pn8+4Ko12fyMpny

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wcsydrv.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	wcsydrv.exe

Executes dropped EXE 64 IoCs

pid	Process
4704	wcsydrv.exe
2268	wcsydrv.exe
1156	wcsydrv.exe
224	wcsydrv.exe
4316	wcsydrv.exe
2960	wcsydrv.exe
4796	wcsydrv.exe
3944	wcsydrv.exe
3808	wcsydrv.exe
1972	wcsydrv.exe
4584	wcsydrv.exe
1420	wcsydrv.exe
3840	wcsydrv.exe
1508	wcsydrv.exe
3668	wcsydrv.exe
5104	wcsydrv.exe
1064	wcsydrv.exe
2976	wcsydrv.exe
4812	wcsydrv.exe
380	wcsydrv.exe
4792	wcsydrv.exe
4864	wcsydrv.exe
3564	wcsydrv.exe
5036	wcsydrv.exe
4304	wcsydrv.exe
4680	wcsydrv.exe
4020	wcsydrv.exe
4348	wcsydrv.exe
4000	wcsydrv.exe
4992	wcsydrv.exe
2896	wcsydrv.exe
3996	wcsydrv.exe
3472	wcsydrv.exe
3160	wcsydrv.exe
4116	wcsydrv.exe
1676	wcsydrv.exe
3972	wcsydrv.exe
3908	wcsydrv.exe
2268	wcsydrv.exe
640	wcsydrv.exe
2424	wcsydrv.exe
1500	wcsydrv.exe
224	wcsydrv.exe
3248	wcsydrv.exe
3968	wcsydrv.exe
2560	wcsydrv.exe
748	wcsydrv.exe
1660	wcsydrv.exe
2700	wcsydrv.exe
4844	wcsydrv.exe
2372	wcsydrv.exe
3108	wcsydrv.exe
3668	wcsydrv.exe
1436	wcsydrv.exe
1188	wcsydrv.exe
5116	wcsydrv.exe
936	wcsydrv.exe
5004	wcsydrv.exe
2740	wcsydrv.exe
1980	wcsydrv.exe
2132	wcsydrv.exe
4484	wcsydrv.exe
1992	wcsydrv.exe
4776	wcsydrv.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services Data = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wcsydrv.exe"	wcsydrv.exe

Modifies WinLogon 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows start = "explorer.exe"	wcsydrv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 4596	1612	54e88117c656fb33285d9dd3bd89469d.exe	84
PID 4704 set thread context of 2268	4704	wcsydrv.exe	88
PID 1156 set thread context of 224	1156	wcsydrv.exe	90
PID 4316 set thread context of 2960	4316	wcsydrv.exe	93
PID 4796 set thread context of 3944	4796	wcsydrv.exe	95
PID 3808 set thread context of 1972	3808	wcsydrv.exe	97
PID 4584 set thread context of 1420	4584	wcsydrv.exe	99
PID 3840 set thread context of 1508	3840	wcsydrv.exe	101
PID 3668 set thread context of 5104	3668	wcsydrv.exe	103
PID 1064 set thread context of 2976	1064	wcsydrv.exe	105
PID 4812 set thread context of 380	4812	wcsydrv.exe	107
PID 4792 set thread context of 4864	4792	wcsydrv.exe	109
PID 3564 set thread context of 5036	3564	wcsydrv.exe	111
PID 4304 set thread context of 4680	4304	wcsydrv.exe	113
PID 4020 set thread context of 4348	4020	wcsydrv.exe	115
PID 4000 set thread context of 4992	4000	wcsydrv.exe	117
PID 2896 set thread context of 3996	2896	wcsydrv.exe	119
PID 3472 set thread context of 3160	3472	wcsydrv.exe	121
PID 4116 set thread context of 1676	4116	wcsydrv.exe	166
PID 3972 set thread context of 3908	3972	wcsydrv.exe	125
PID 2268 set thread context of 640	2268	wcsydrv.exe	127
PID 2424 set thread context of 1500	2424	wcsydrv.exe	129
PID 224 set thread context of 3248	224	wcsydrv.exe	132
PID 3968 set thread context of 2560	3968	wcsydrv.exe	135
PID 748 set thread context of 1660	748	wcsydrv.exe	137
PID 2700 set thread context of 4844	2700	wcsydrv.exe	139
PID 2372 set thread context of 3108	2372	wcsydrv.exe	141
PID 3668 set thread context of 1436	3668	wcsydrv.exe	143
PID 1188 set thread context of 5116	1188	wcsydrv.exe	146
PID 936 set thread context of 5004	936	wcsydrv.exe	149
PID 2740 set thread context of 1980	2740	wcsydrv.exe	151
PID 2132 set thread context of 4484	2132	wcsydrv.exe	153
PID 1992 set thread context of 4776	1992	wcsydrv.exe	155
PID 1624 set thread context of 4784	1624	wcsydrv.exe	157
PID 1356 set thread context of 4600	1356	wcsydrv.exe	159
PID 4360 set thread context of 1732	4360	wcsydrv.exe	161
PID 3948 set thread context of 3472	3948	wcsydrv.exe	163
PID 880 set thread context of 1996	880	wcsydrv.exe	165
PID 1676 set thread context of 2448	1676	wcsydrv.exe	167
PID 3500 set thread context of 3540	3500	wcsydrv.exe	169
PID 2424 set thread context of 180	2424	wcsydrv.exe	172
PID 2588 set thread context of 3796	2588	wcsydrv.exe	174
PID 4852 set thread context of 3968	4852	wcsydrv.exe	176
PID 3364 set thread context of 2892	3364	wcsydrv.exe	178
PID 3044 set thread context of 812	3044	wcsydrv.exe	180
PID 2164 set thread context of 4164	2164	wcsydrv.exe	224
PID 3668 set thread context of 4236	3668	wcsydrv.exe	226
PID 4812 set thread context of 2996	4812	wcsydrv.exe	187
PID 380 set thread context of 5112	380	wcsydrv.exe	189
PID 1360 set thread context of 2064	1360	wcsydrv.exe	191
PID 3676 set thread context of 968	3676	wcsydrv.exe	193
PID 1120 set thread context of 3904	1120	wcsydrv.exe	196
PID 1124 set thread context of 2040	1124	wcsydrv.exe	198
PID 5020 set thread context of 3012	5020	wcsydrv.exe	200
PID 3956 set thread context of 4168	3956	wcsydrv.exe	202
PID 3508 set thread context of 1232	3508	wcsydrv.exe	204
PID 4268 set thread context of 2888	4268	wcsydrv.exe	206
PID 1020 set thread context of 4176	1020	wcsydrv.exe	208
PID 4748 set thread context of 2112	4748	wcsydrv.exe	210
PID 2752 set thread context of 2816	2752	wcsydrv.exe	212
PID 100 set thread context of 2952	100	wcsydrv.exe	257
PID 4316 set thread context of 1060	4316	wcsydrv.exe	216
PID 5108 set thread context of 3808	5108	wcsydrv.exe	218
PID 748 set thread context of 2788	748	wcsydrv.exe	220

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 4596	1612	54e88117c656fb33285d9dd3bd89469d.exe	84
PID 1612 wrote to memory of 4596	1612	54e88117c656fb33285d9dd3bd89469d.exe	84
PID 1612 wrote to memory of 4596	1612	54e88117c656fb33285d9dd3bd89469d.exe	84
PID 1612 wrote to memory of 4596	1612	54e88117c656fb33285d9dd3bd89469d.exe	84
PID 1612 wrote to memory of 4596	1612	54e88117c656fb33285d9dd3bd89469d.exe	84
PID 4596 wrote to memory of 4704	4596	54e88117c656fb33285d9dd3bd89469d.exe	87
PID 4596 wrote to memory of 4704	4596	54e88117c656fb33285d9dd3bd89469d.exe	87
PID 4596 wrote to memory of 4704	4596	54e88117c656fb33285d9dd3bd89469d.exe	87
PID 4704 wrote to memory of 2268	4704	wcsydrv.exe	88
PID 4704 wrote to memory of 2268	4704	wcsydrv.exe	88
PID 4704 wrote to memory of 2268	4704	wcsydrv.exe	88
PID 4704 wrote to memory of 2268	4704	wcsydrv.exe	88
PID 4704 wrote to memory of 2268	4704	wcsydrv.exe	88
PID 2268 wrote to memory of 1156	2268	wcsydrv.exe	89
PID 2268 wrote to memory of 1156	2268	wcsydrv.exe	89
PID 2268 wrote to memory of 1156	2268	wcsydrv.exe	89
PID 1156 wrote to memory of 224	1156	wcsydrv.exe	90
PID 1156 wrote to memory of 224	1156	wcsydrv.exe	90
PID 1156 wrote to memory of 224	1156	wcsydrv.exe	90
PID 1156 wrote to memory of 224	1156	wcsydrv.exe	90
PID 1156 wrote to memory of 224	1156	wcsydrv.exe	90
PID 224 wrote to memory of 4316	224	wcsydrv.exe	92
PID 224 wrote to memory of 4316	224	wcsydrv.exe	92
PID 224 wrote to memory of 4316	224	wcsydrv.exe	92
PID 4316 wrote to memory of 2960	4316	wcsydrv.exe	93
PID 4316 wrote to memory of 2960	4316	wcsydrv.exe	93
PID 4316 wrote to memory of 2960	4316	wcsydrv.exe	93
PID 4316 wrote to memory of 2960	4316	wcsydrv.exe	93
PID 4316 wrote to memory of 2960	4316	wcsydrv.exe	93
PID 2960 wrote to memory of 4796	2960	wcsydrv.exe	94
PID 2960 wrote to memory of 4796	2960	wcsydrv.exe	94
PID 2960 wrote to memory of 4796	2960	wcsydrv.exe	94
PID 4796 wrote to memory of 3944	4796	wcsydrv.exe	95
PID 4796 wrote to memory of 3944	4796	wcsydrv.exe	95
PID 4796 wrote to memory of 3944	4796	wcsydrv.exe	95
PID 4796 wrote to memory of 3944	4796	wcsydrv.exe	95
PID 4796 wrote to memory of 3944	4796	wcsydrv.exe	95
PID 3944 wrote to memory of 3808	3944	wcsydrv.exe	96
PID 3944 wrote to memory of 3808	3944	wcsydrv.exe	96
PID 3944 wrote to memory of 3808	3944	wcsydrv.exe	96
PID 3808 wrote to memory of 1972	3808	wcsydrv.exe	97
PID 3808 wrote to memory of 1972	3808	wcsydrv.exe	97
PID 3808 wrote to memory of 1972	3808	wcsydrv.exe	97
PID 3808 wrote to memory of 1972	3808	wcsydrv.exe	97
PID 3808 wrote to memory of 1972	3808	wcsydrv.exe	97
PID 1972 wrote to memory of 4584	1972	wcsydrv.exe	98
PID 1972 wrote to memory of 4584	1972	wcsydrv.exe	98
PID 1972 wrote to memory of 4584	1972	wcsydrv.exe	98
PID 4584 wrote to memory of 1420	4584	wcsydrv.exe	99
PID 4584 wrote to memory of 1420	4584	wcsydrv.exe	99
PID 4584 wrote to memory of 1420	4584	wcsydrv.exe	99
PID 4584 wrote to memory of 1420	4584	wcsydrv.exe	99
PID 4584 wrote to memory of 1420	4584	wcsydrv.exe	99
PID 1420 wrote to memory of 3840	1420	wcsydrv.exe	100
PID 1420 wrote to memory of 3840	1420	wcsydrv.exe	100
PID 1420 wrote to memory of 3840	1420	wcsydrv.exe	100
PID 3840 wrote to memory of 1508	3840	wcsydrv.exe	101
PID 3840 wrote to memory of 1508	3840	wcsydrv.exe	101
PID 3840 wrote to memory of 1508	3840	wcsydrv.exe	101
PID 3840 wrote to memory of 1508	3840	wcsydrv.exe	101
PID 3840 wrote to memory of 1508	3840	wcsydrv.exe	101
PID 1508 wrote to memory of 3668	1508	wcsydrv.exe	142
PID 1508 wrote to memory of 3668	1508	wcsydrv.exe	142
PID 1508 wrote to memory of 3668	1508	wcsydrv.exe	142

C:\Users\Admin\AppData\Local\Temp\54e88117c656fb33285d9dd3bd89469d.exe
"C:\Users\Admin\AppData\Local\Temp\54e88117c656fb33285d9dd3bd89469d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\54e88117c656fb33285d9dd3bd89469d.exe
  C:\Users\Admin\AppData\Local\Temp\54e88117c656fb33285d9dd3bd89469d.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
    "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
      C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        8⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        10⤵
        Executes dropped EXE
        Modifies WinLogon
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        14⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        16⤵
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        18⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        20⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        22⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        24⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        26⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        28⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        30⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        34⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        36⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        38⤵
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        40⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        42⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        46⤵
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        50⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        54⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        60⤵
        Adds policy Run key to start application
        Executes dropped EXE
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        62⤵
        Executes dropped EXE
        Modifies WinLogon
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        64⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        66⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        68⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        69⤵
        Suspicious use of SetThreadContext
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        70⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        71⤵
        Suspicious use of SetThreadContext
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        72⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        73⤵
        Suspicious use of SetThreadContext
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        74⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        75⤵
        Suspicious use of SetThreadContext
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        76⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        78⤵
        Adds Run key to start application
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        79⤵
        Suspicious use of SetThreadContext
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        80⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        81⤵
        Suspicious use of SetThreadContext
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        82⤵
        Modifies WinLogon
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        84⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        85⤵
        Suspicious use of SetThreadContext
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        86⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        87⤵
        Suspicious use of SetThreadContext
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        88⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        89⤵
        Suspicious use of SetThreadContext
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        90⤵
        Adds policy Run key to start application
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        92⤵
        Modifies WinLogon
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        93⤵
        Suspicious use of SetThreadContext
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        94⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        95⤵
        Suspicious use of SetThreadContext
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        96⤵
        Adds policy Run key to start application
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        97⤵
        Suspicious use of SetThreadContext
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        98⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        99⤵
        Suspicious use of SetThreadContext
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        100⤵
        Modifies WinLogon
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        101⤵
        Suspicious use of SetThreadContext
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        102⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        103⤵
        Suspicious use of SetThreadContext
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        104⤵
        Adds policy Run key to start application
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        105⤵
        Suspicious use of SetThreadContext
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        106⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        107⤵
        Suspicious use of SetThreadContext
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        108⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        109⤵
        Suspicious use of SetThreadContext
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        110⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        111⤵
        Suspicious use of SetThreadContext
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        112⤵
        Adds Run key to start application
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        113⤵
        Suspicious use of SetThreadContext
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        114⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        115⤵
        Suspicious use of SetThreadContext
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        116⤵
        Adds policy Run key to start application
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        117⤵
        Suspicious use of SetThreadContext
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        118⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        119⤵
        Suspicious use of SetThreadContext
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        120⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        121⤵
        Suspicious use of SetThreadContext
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        122⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        123⤵
        Suspicious use of SetThreadContext
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        124⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        125⤵
        Suspicious use of SetThreadContext
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        126⤵
        Checks computer location settings
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        127⤵
        Suspicious use of SetThreadContext
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        128⤵
        Adds Run key to start application
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        129⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        130⤵
        Modifies WinLogon
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        131⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        132⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        133⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        134⤵
        Checks computer location settings
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        135⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        136⤵
        Modifies WinLogon
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        137⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        138⤵
        Checks computer location settings
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        139⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        140⤵
        Adds Run key to start application
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        141⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        142⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        143⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        144⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        145⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        146⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        147⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        148⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        149⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        150⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        151⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        152⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        153⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        154⤵
        Adds Run key to start application
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        155⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        156⤵
        Checks computer location settings
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        157⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        158⤵
        Adds policy Run key to start application
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        159⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        160⤵
        Checks computer location settings
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        161⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        162⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        163⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        164⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        165⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        166⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        167⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        168⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        169⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        170⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        171⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        172⤵
        Modifies WinLogon
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        173⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        174⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        175⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        176⤵
        Adds policy Run key to start application
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        177⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        178⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        179⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        180⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        181⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        182⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        183⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        184⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        185⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        186⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        187⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        188⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        189⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        190⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        191⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        192⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        193⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        194⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        195⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        196⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        197⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        198⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        199⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        200⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        201⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        202⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        203⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        204⤵
        Adds policy Run key to start application
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        205⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        206⤵
        Checks computer location settings
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        207⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        208⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        209⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        210⤵
        Modifies WinLogon
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        211⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        212⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        213⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        214⤵
        Adds Run key to start application
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        215⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        216⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        217⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        218⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        219⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        220⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        221⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        222⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        223⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        224⤵
        Checks computer location settings
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        225⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        226⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        227⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        228⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        229⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        230⤵
        Modifies WinLogon
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        231⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        232⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        233⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        234⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        235⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        236⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        237⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        238⤵
        Adds Run key to start application
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        239⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        240⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        241⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        242⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        243⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        244⤵
        Checks computer location settings
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        245⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        246⤵
        Modifies WinLogon
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        247⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        248⤵
        Adds policy Run key to start application
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        249⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        250⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        251⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        252⤵
        Adds Run key to start application
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        253⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        254⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        255⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        256⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        257⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        258⤵
        Adds policy Run key to start application
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        259⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        260⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        261⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        262⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        263⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        264⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        265⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        266⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        267⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        268⤵
        Checks computer location settings
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        269⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        270⤵
        Adds policy Run key to start application
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        271⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        272⤵
        Modifies WinLogon
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        273⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        274⤵
        Modifies WinLogon
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        275⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        276⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        277⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        278⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        279⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        280⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        281⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        282⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        283⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        284⤵
        Adds Run key to start application
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        285⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        286⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        287⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        288⤵
        Checks computer location settings
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        289⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        290⤵
        Modifies WinLogon
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        291⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        292⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        293⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        294⤵
        Modifies WinLogon
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        295⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        296⤵
        Adds policy Run key to start application
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        297⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        298⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        299⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        300⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        301⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        302⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        303⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        304⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        305⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        306⤵
        Adds Run key to start application
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        307⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        308⤵
        Modifies WinLogon
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        309⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        310⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        311⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        312⤵
        Checks computer location settings
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        313⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        314⤵
        Modifies WinLogon
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        315⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        316⤵
        Checks computer location settings
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        317⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        318⤵
        Modifies WinLogon
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        319⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        320⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        321⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        322⤵
        Adds policy Run key to start application
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        323⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        324⤵
        Adds policy Run key to start application
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        325⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        326⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        327⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        328⤵
        Adds policy Run key to start application
        Checks computer location settings
        Adds Run key to start application
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        329⤵
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        330⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        331⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        332⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        333⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        334⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        335⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        336⤵
        Adds policy Run key to start application
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        337⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        338⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        339⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        340⤵
        Adds Run key to start application
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        341⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        342⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        343⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        344⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        345⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        346⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        347⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        348⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        349⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        350⤵
        Checks computer location settings
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        351⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        352⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        353⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        354⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        355⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        356⤵
        Adds Run key to start application
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        357⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        358⤵
        Adds policy Run key to start application
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        359⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        360⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        361⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        362⤵
        Modifies WinLogon
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        363⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        364⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        365⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        366⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        367⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        368⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        369⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        370⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        371⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        372⤵
        Adds policy Run key to start application
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        373⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        374⤵
        Modifies WinLogon
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        375⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        376⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        377⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        378⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        379⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        380⤵
        Checks computer location settings
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        381⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        382⤵
        Adds policy Run key to start application
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        383⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        384⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        385⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        386⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        387⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        388⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        389⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        390⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        391⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        392⤵
        Modifies WinLogon
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        393⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        394⤵
        Adds Run key to start application
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        395⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        396⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        397⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        398⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        399⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        400⤵
        Adds Run key to start application
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        401⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        402⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        403⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        404⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        405⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        406⤵
        Adds policy Run key to start application
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        407⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        408⤵
        Modifies WinLogon
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        409⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        410⤵
        Modifies WinLogon
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        411⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        412⤵
        Adds Run key to start application
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        413⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        414⤵
        Modifies WinLogon
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        415⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        416⤵
        Adds policy Run key to start application
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        417⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        418⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        419⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        420⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        421⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        422⤵
        Checks computer location settings
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        423⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        424⤵
        Checks computer location settings
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        425⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        426⤵
        Adds Run key to start application
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        427⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        428⤵
        Adds policy Run key to start application
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        429⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        430⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        431⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        432⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        433⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        434⤵
        Checks computer location settings
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        435⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        436⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        437⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        438⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        439⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        440⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        441⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        442⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        443⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        444⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        445⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        446⤵
        Adds policy Run key to start application
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        447⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        448⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        449⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        450⤵
        Checks computer location settings
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        451⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        452⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        453⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        454⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        455⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        456⤵
        Adds Run key to start application
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        457⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        458⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        459⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        460⤵
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        461⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        462⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        463⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        464⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        465⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        466⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        467⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        468⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        469⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        470⤵
        Modifies WinLogon
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        471⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        472⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        473⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        474⤵
        Adds policy Run key to start application
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        475⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        476⤵
        Checks computer location settings
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        477⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        478⤵
        Checks computer location settings
        Adds Run key to start application
        Modifies WinLogon
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        479⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        480⤵
        Adds Run key to start application
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        481⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        482⤵
        Checks computer location settings
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        483⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        484⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        485⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        486⤵
        Adds Run key to start application
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        487⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        488⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        489⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        490⤵
        Adds policy Run key to start application
        Checks computer location settings
        Modifies WinLogon
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        491⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        492⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        493⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        494⤵
        Adds policy Run key to start application
        Adds Run key to start application
        Modifies WinLogon
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        495⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        496⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        497⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        498⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        499⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        500⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        501⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        502⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        503⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        504⤵
        Adds Run key to start application
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        505⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        506⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        507⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        508⤵
        Modifies WinLogon
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        509⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        510⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        511⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        512⤵
        Checks computer location settings
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        513⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        514⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        515⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        516⤵
        Adds Run key to start application
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        517⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        518⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        519⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        520⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        521⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        522⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        523⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        524⤵
        Adds policy Run key to start application
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        525⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        526⤵
        Adds policy Run key to start application
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        527⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        528⤵
        Checks computer location settings
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        529⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        530⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        531⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        532⤵
        Adds Run key to start application
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        533⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        534⤵
        Adds policy Run key to start application
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        535⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        536⤵
        Adds Run key to start application
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        537⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        538⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        539⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        540⤵
        Adds policy Run key to start application
        Checks computer location settings
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        541⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        542⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        543⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        544⤵
        Adds Run key to start application
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        545⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        546⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        547⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        548⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        549⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        550⤵
        Checks computer location settings
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        551⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        552⤵
        Adds Run key to start application
        Modifies WinLogon
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        553⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        554⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        555⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        556⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        557⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        558⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        559⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        560⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        561⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        562⤵
        Adds policy Run key to start application
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        563⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        564⤵
        Adds policy Run key to start application
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        565⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        566⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        567⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        568⤵
        Adds policy Run key to start application
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        569⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        570⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        571⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        572⤵
        Adds policy Run key to start application
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        573⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        574⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        575⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        576⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        577⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        578⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        579⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        580⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        581⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        582⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        583⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        584⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        585⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        586⤵
        Adds policy Run key to start application
        Modifies WinLogon
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        587⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        588⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        589⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        590⤵
        Checks computer location settings
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        591⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        592⤵
        Checks computer location settings
        Modifies WinLogon
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        593⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        594⤵
        Modifies WinLogon
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        595⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        596⤵
        Checks computer location settings
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        597⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        598⤵
        Modifies WinLogon
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        599⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        600⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        601⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        602⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        603⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        604⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        605⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        606⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        607⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        608⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        609⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        610⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        611⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        612⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        613⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        614⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        615⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        616⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        617⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        618⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        619⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        620⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        621⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        622⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        623⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        624⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        625⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        626⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        627⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        628⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        629⤵
        
        PID:192
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        630⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        631⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        632⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        633⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        634⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        635⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        636⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        637⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        638⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        639⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        640⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        641⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        642⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        643⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        644⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        645⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        646⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        647⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        648⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        649⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        650⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        651⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        652⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        653⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        654⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        655⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        656⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        657⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        658⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        659⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        660⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        661⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        662⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        663⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        664⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        665⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        666⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        667⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        668⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        669⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        670⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        671⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        672⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        673⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        674⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        675⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        676⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        677⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        678⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        679⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        680⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        681⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        682⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        683⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        684⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        685⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        686⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        687⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        688⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        689⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        690⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        691⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        692⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        693⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        694⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        695⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        696⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        697⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        698⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        699⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        700⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        701⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        702⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        703⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        704⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        705⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        706⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        707⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        708⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        709⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        710⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        711⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        712⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        713⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        714⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        715⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        716⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        717⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        718⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe" a
        719⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        
        C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe
        720⤵
        
        PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:264

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:2976

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3208

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4348

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wcsydrv.exe

Filesize
88KB

MD5
54e88117c656fb33285d9dd3bd89469d

SHA1
47cbd0e004c3819db03fd92626ad78e212989ae8

SHA256
ce7021c5dc853e3cece74530e9fd08b81b8741429b1d47ac4cdf692dfd2f41c7

SHA512
7aa07e4a1371c6e8b99414d775e3aa6701e63ac9f8d8b8386274aa86f59e6404c1f504bbd7e65c4e86fd13b9240a5e10c344f7ba93225cbda2dbc0b24712c001

Download Submit
memory/180-119-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/224-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/224-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/380-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/640-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/812-123-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/968-129-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1060-140-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1232-134-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1420-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1436-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1500-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1508-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1660-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1676-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1732-114-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1980-107-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-116-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2040-131-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2064-128-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2112-137-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2268-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2268-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2448-117-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2560-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2788-142-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2816-138-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2888-135-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2892-122-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2952-139-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2976-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2996-126-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3012-132-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3108-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3160-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3248-83-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3472-115-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3540-118-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3796-120-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3808-141-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3904-130-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3908-74-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3944-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-121-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3996-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4164-124-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4168-133-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4176-136-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4236-125-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4348-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4484-110-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4596-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4596-13-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4596-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4600-113-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4680-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4776-111-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4784-112-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4844-92-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4864-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4992-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5004-104-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5036-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5104-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5112-127-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-101-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads