hawkeye | bde35d2817ab64fe26bfafc71b8e7c8d47ba08aa23d6ad15a26ff1ff3fbd99b7

Analysis

max time kernel
55s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
Size

1.7MB
MD5

b03ef6672d4f79c1f4293cf7758b5794
SHA1

02278477f16bbc31bea3e103ceb83bd03a19c9e1
SHA256

bde35d2817ab64fe26bfafc71b8e7c8d47ba08aa23d6ad15a26ff1ff3fbd99b7
SHA512

de00feaafde5ac26d280473d11f0638da374bba40f19379cfadfdca045598bdf682f1070d2a781ddfad2bba2848e63ab64308083401cb345147f2f08b68a2253
SSDEEP

24576:r4lVqxn0YdlEnfami+SnU3s72ZYlv47O+W:rOcj3xmi+XhOt

Score

10^/10

hawkeye discovery evasion keylogger ransomware spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugtemp\\neoex.exe:*:Enabled:Windows Messanger"	reg.exe

Renames multiple (255) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exeexplorer.exed3dref9.exeifsutilx.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	d3dref9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	ifsutilx.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid	Process
2948	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exed3dref9.exeifsutilx.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exe

pid	Process
2948	explorer.exe
4308	d3dref9.exe
1844	ifsutilx.exe
4092	d3dref9.exe
2244	d3dref9.exe
3160	d3dref9.exe
4412	d3dref9.exe
2384	d3dref9.exe
2808	d3dref9.exe
908	d3dref9.exe
3812	d3dref9.exe
1976	d3dref9.exe
2512	d3dref9.exe
3216	d3dref9.exe
2932	d3dref9.exe
2164	d3dref9.exe
1428	d3dref9.exe
1048	d3dref9.exe
2868	d3dref9.exe
2496	d3dref9.exe
4680	d3dref9.exe
2180	d3dref9.exe
712	d3dref9.exe
1968	d3dref9.exe
1952	d3dref9.exe
1108	d3dref9.exe
1976	d3dref9.exe
4240	d3dref9.exe
3464	d3dref9.exe
1424	d3dref9.exe
4476	d3dref9.exe
1048	d3dref9.exe
2272	d3dref9.exe
1184	d3dref9.exe
1972	d3dref9.exe
712	d3dref9.exe
4628	d3dref9.exe
2168	d3dref9.exe
3132	d3dref9.exe
2896	d3dref9.exe
3440	d3dref9.exe
932	d3dref9.exe
4484	d3dref9.exe
2508	d3dref9.exe
2276	d3dref9.exe
2540	d3dref9.exe
384	d3dref9.exe
4852	d3dref9.exe
3252	d3dref9.exe
3560	d3dref9.exe
2264	d3dref9.exe
4268	d3dref9.exe
3108	d3dref9.exe
2296	d3dref9.exe
4080	d3dref9.exe
3024	d3dref9.exe
3504	d3dref9.exe
2868	d3dref9.exe
4932	d3dref9.exe
1776	d3dref9.exe
232	d3dref9.exe
4852	d3dref9.exe
2988	d3dref9.exe
1528	d3dref9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeifsutilx.exe

description	pid	Process	procid_target
PID 2948 set thread context of 4100	2948	explorer.exe	88
PID 1844 set thread context of 2336	1844	ifsutilx.exe	109

Drops file in Windows directory 6 IoCs

Processes:

dw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp.tmp	dw20.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp.tmp.tmp	dw20.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp.tmp.tmp	dw20.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp.tmp.tmp.tmp	dw20.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp.tmp.tmp.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dw20.exedw20.exedw20.exedw20.exedw20.exed3dref9.exedw20.exed3dref9.exed3dref9.exed3dref9.exedw20.exed3dref9.exed3dref9.exed3dref9.exedw20.exedw20.exed3dref9.exedw20.exed3dref9.exedw20.exed3dref9.exedw20.exedw20.exedw20.exedw20.exedw20.exed3dref9.exedw20.exedw20.exed3dref9.exedw20.exed3dref9.exed3dref9.exed3dref9.exedw20.exedw20.exeifsutilx.exedw20.exed3dref9.exed3dref9.exedw20.exed3dref9.exed3dref9.exedw20.exed3dref9.exedw20.exed3dref9.exedw20.exedw20.exed3dref9.exedw20.exedw20.exed3dref9.exed3dref9.exed3dref9.exedw20.exed3dref9.exed3dref9.exedw20.exedw20.exed3dref9.exed3dref9.exed3dref9.exedw20.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifsutilx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dref9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

pid	Process
1988	reg.exe
1916	reg.exe
3484	reg.exe
1140	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exed3dref9.exed3dref9.exeifsutilx.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exed3dref9.exe

pid	Process
2948	explorer.exe
4308	d3dref9.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
4308	d3dref9.exe
2948	explorer.exe
4092	d3dref9.exe
1844	ifsutilx.exe
2948	explorer.exe
4092	d3dref9.exe
1844	ifsutilx.exe
2948	explorer.exe
2244	d3dref9.exe
2948	explorer.exe
3160	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
3160	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
3160	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
4412	d3dref9.exe
2384	d3dref9.exe
2948	explorer.exe
2384	d3dref9.exe
1844	ifsutilx.exe
2948	explorer.exe
1844	ifsutilx.exe
2808	d3dref9.exe
908	d3dref9.exe
2948	explorer.exe
2808	d3dref9.exe
1844	ifsutilx.exe
908	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
2808	d3dref9.exe
908	d3dref9.exe
2948	explorer.exe
2808	d3dref9.exe
1844	ifsutilx.exe
908	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
2808	d3dref9.exe
908	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
3812	d3dref9.exe
1976	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
3812	d3dref9.exe
1976	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
1976	d3dref9.exe
2948	explorer.exe
1844	ifsutilx.exe
2512	d3dref9.exe
3216	d3dref9.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exeifsutilx.exe

pid	Process
2948	explorer.exe
1844	ifsutilx.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exeexplorer.exeAppLaunch.exed3dref9.exedw20.exeifsutilx.exed3dref9.exedw20.exed3dref9.exedw20.exed3dref9.exedw20.exed3dref9.exed3dref9.exedw20.exedw20.exed3dref9.exed3dref9.exedw20.exedw20.exe

description	pid	Process
Token: SeDebugPrivilege	4588	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
Token: SeDebugPrivilege	2948	explorer.exe
Token: 1	4100	AppLaunch.exe
Token: SeCreateTokenPrivilege	4100	AppLaunch.exe
Token: SeAssignPrimaryTokenPrivilege	4100	AppLaunch.exe
Token: SeLockMemoryPrivilege	4100	AppLaunch.exe
Token: SeIncreaseQuotaPrivilege	4100	AppLaunch.exe
Token: SeMachineAccountPrivilege	4100	AppLaunch.exe
Token: SeTcbPrivilege	4100	AppLaunch.exe
Token: SeSecurityPrivilege	4100	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	4100	AppLaunch.exe
Token: SeLoadDriverPrivilege	4100	AppLaunch.exe
Token: SeSystemProfilePrivilege	4100	AppLaunch.exe
Token: SeSystemtimePrivilege	4100	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	4100	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	4100	AppLaunch.exe
Token: SeCreatePagefilePrivilege	4100	AppLaunch.exe
Token: SeCreatePermanentPrivilege	4100	AppLaunch.exe
Token: SeBackupPrivilege	4100	AppLaunch.exe
Token: SeRestorePrivilege	4100	AppLaunch.exe
Token: SeShutdownPrivilege	4100	AppLaunch.exe
Token: SeDebugPrivilege	4100	AppLaunch.exe
Token: SeAuditPrivilege	4100	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	4100	AppLaunch.exe
Token: SeChangeNotifyPrivilege	4100	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	4100	AppLaunch.exe
Token: SeUndockPrivilege	4100	AppLaunch.exe
Token: SeSyncAgentPrivilege	4100	AppLaunch.exe
Token: SeEnableDelegationPrivilege	4100	AppLaunch.exe
Token: SeManageVolumePrivilege	4100	AppLaunch.exe
Token: SeImpersonatePrivilege	4100	AppLaunch.exe
Token: SeCreateGlobalPrivilege	4100	AppLaunch.exe
Token: 31	4100	AppLaunch.exe
Token: 32	4100	AppLaunch.exe
Token: 33	4100	AppLaunch.exe
Token: 34	4100	AppLaunch.exe
Token: 35	4100	AppLaunch.exe
Token: SeDebugPrivilege	4308	d3dref9.exe
Token: SeRestorePrivilege	2576	dw20.exe
Token: SeBackupPrivilege	2576	dw20.exe
Token: SeBackupPrivilege	2576	dw20.exe
Token: SeBackupPrivilege	2576	dw20.exe
Token: SeDebugPrivilege	1844	ifsutilx.exe
Token: SeDebugPrivilege	4092	d3dref9.exe
Token: SeBackupPrivilege	1004	dw20.exe
Token: SeBackupPrivilege	1004	dw20.exe
Token: SeDebugPrivilege	2244	d3dref9.exe
Token: SeBackupPrivilege	1424	dw20.exe
Token: SeBackupPrivilege	1424	dw20.exe
Token: SeDebugPrivilege	3160	d3dref9.exe
Token: SeBackupPrivilege	4476	dw20.exe
Token: SeBackupPrivilege	4476	dw20.exe
Token: SeDebugPrivilege	4412	d3dref9.exe
Token: SeDebugPrivilege	2384	d3dref9.exe
Token: SeBackupPrivilege	2472	dw20.exe
Token: SeBackupPrivilege	2472	dw20.exe
Token: SeBackupPrivilege	5012	dw20.exe
Token: SeBackupPrivilege	5012	dw20.exe
Token: SeDebugPrivilege	2808	d3dref9.exe
Token: SeDebugPrivilege	908	d3dref9.exe
Token: SeBackupPrivilege	3992	dw20.exe
Token: SeBackupPrivilege	784	dw20.exe
Token: SeRestorePrivilege	784	dw20.exe
Token: SeBackupPrivilege	784	dw20.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AppLaunch.exeAppLaunch.exe

pid	Process
4100	AppLaunch.exe
4100	AppLaunch.exe
4100	AppLaunch.exe
2336	AppLaunch.exe
2336	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exeexplorer.exeAppLaunch.execmd.execmd.execmd.execmd.exed3dref9.exed3dref9.exeifsutilx.exed3dref9.exe

description	pid	Process	procid_target
PID 4588 wrote to memory of 2948	4588	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe	87
PID 4588 wrote to memory of 2948	4588	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe	87
PID 4588 wrote to memory of 2948	4588	b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe	87
PID 2948 wrote to memory of 4100	2948	explorer.exe	88
PID 2948 wrote to memory of 4100	2948	explorer.exe	88
PID 2948 wrote to memory of 4100	2948	explorer.exe	88
PID 2948 wrote to memory of 4100	2948	explorer.exe	88
PID 2948 wrote to memory of 4100	2948	explorer.exe	88
PID 2948 wrote to memory of 4100	2948	explorer.exe	88
PID 2948 wrote to memory of 4100	2948	explorer.exe	88
PID 2948 wrote to memory of 4100	2948	explorer.exe	88
PID 4100 wrote to memory of 3784	4100	AppLaunch.exe	89
PID 4100 wrote to memory of 3784	4100	AppLaunch.exe	89
PID 4100 wrote to memory of 3784	4100	AppLaunch.exe	89
PID 4100 wrote to memory of 4276	4100	AppLaunch.exe	90
PID 4100 wrote to memory of 4276	4100	AppLaunch.exe	90
PID 4100 wrote to memory of 4276	4100	AppLaunch.exe	90
PID 4100 wrote to memory of 4928	4100	AppLaunch.exe	91
PID 4100 wrote to memory of 4928	4100	AppLaunch.exe	91
PID 4100 wrote to memory of 4928	4100	AppLaunch.exe	91
PID 4100 wrote to memory of 212	4100	AppLaunch.exe	92
PID 4100 wrote to memory of 212	4100	AppLaunch.exe	92
PID 4100 wrote to memory of 212	4100	AppLaunch.exe	92
PID 4276 wrote to memory of 3484	4276	cmd.exe	97
PID 4276 wrote to memory of 3484	4276	cmd.exe	97
PID 4276 wrote to memory of 3484	4276	cmd.exe	97
PID 4928 wrote to memory of 1140	4928	cmd.exe	98
PID 4928 wrote to memory of 1140	4928	cmd.exe	98
PID 4928 wrote to memory of 1140	4928	cmd.exe	98
PID 3784 wrote to memory of 1988	3784	cmd.exe	99
PID 3784 wrote to memory of 1988	3784	cmd.exe	99
PID 3784 wrote to memory of 1988	3784	cmd.exe	99
PID 212 wrote to memory of 1916	212	cmd.exe	100
PID 212 wrote to memory of 1916	212	cmd.exe	100
PID 212 wrote to memory of 1916	212	cmd.exe	100
PID 2948 wrote to memory of 4308	2948	explorer.exe	101
PID 2948 wrote to memory of 4308	2948	explorer.exe	101
PID 2948 wrote to memory of 4308	2948	explorer.exe	101
PID 4308 wrote to memory of 2576	4308	d3dref9.exe	102
PID 4308 wrote to memory of 2576	4308	d3dref9.exe	102
PID 4308 wrote to memory of 2576	4308	d3dref9.exe	102
PID 4308 wrote to memory of 1844	4308	d3dref9.exe	103
PID 4308 wrote to memory of 1844	4308	d3dref9.exe	103
PID 4308 wrote to memory of 1844	4308	d3dref9.exe	103
PID 2948 wrote to memory of 4092	2948	explorer.exe	107
PID 2948 wrote to memory of 4092	2948	explorer.exe	107
PID 2948 wrote to memory of 4092	2948	explorer.exe	107
PID 4092 wrote to memory of 1004	4092	d3dref9.exe	108
PID 4092 wrote to memory of 1004	4092	d3dref9.exe	108
PID 4092 wrote to memory of 1004	4092	d3dref9.exe	108
PID 1844 wrote to memory of 2336	1844	ifsutilx.exe	109
PID 1844 wrote to memory of 2336	1844	ifsutilx.exe	109
PID 1844 wrote to memory of 2336	1844	ifsutilx.exe	109
PID 1844 wrote to memory of 2336	1844	ifsutilx.exe	109
PID 1844 wrote to memory of 2336	1844	ifsutilx.exe	109
PID 1844 wrote to memory of 2336	1844	ifsutilx.exe	109
PID 1844 wrote to memory of 2336	1844	ifsutilx.exe	109
PID 1844 wrote to memory of 2336	1844	ifsutilx.exe	109
PID 2948 wrote to memory of 2244	2948	explorer.exe	110
PID 2948 wrote to memory of 2244	2948	explorer.exe	110
PID 2948 wrote to memory of 2244	2948	explorer.exe	110
PID 2244 wrote to memory of 1424	2244	d3dref9.exe	111
PID 2244 wrote to memory of 1424	2244	d3dref9.exe	111
PID 2244 wrote to memory of 1424	2244	d3dref9.exe	111

C:\Users\Admin\AppData\Local\Temp\b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b03ef6672d4f79c1f4293cf7758b5794_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4276
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\plugtemp\neoex.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1916
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 972
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe
      "C:\Users\Admin\AppData\Local\Temp\ifsutilx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2336
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:5004
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3216
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:2764
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:2164
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1308
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4228
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:1184
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:712
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3164
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:1108
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 880
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:2824
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:4476
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2560
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:2272
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3816
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:1972
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1704
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:4628
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3788
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:3132
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:3440
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1252
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:932
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1564
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:2508
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2384
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:384
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:3216
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:3252
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3784
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:4836
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:2296
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:1728
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:4080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2200
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:2868
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:2184
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:4932
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 876
        6⤵
        
        PID:3908
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:4852
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1120
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        Executes dropped EXE
        
        PID:2988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3964
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:912
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4092
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5012
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3164
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:536
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:384
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2144
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:2288
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1344
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:232
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4152
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4456
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:3004
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2184
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:532
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:960
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:408
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1492
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:3276
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2708
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3772
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4652
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3104
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:516
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 876
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1184
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2272
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:532
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2288
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1668
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1512
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4944
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:2972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2260
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3228
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:988
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4140
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3504
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2844
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1140
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2540
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:4588
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2012
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2640
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:1340
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:3212
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4384
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3564
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:408
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:2180
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1096
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:4472
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2796
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1952
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3132
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3496
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4456
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3212
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5112
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4300
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4552
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2708
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:3112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2576
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4224
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4508
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:784
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:4892
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3812
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4252
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:3504
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4308
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4588
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3460
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1120
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3568
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4820
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3316
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3484
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:3020
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3300
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3504
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3688
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4920
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2748
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:4912
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 880
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2076
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:2540
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3992
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4532
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1344
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5068
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1096
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1336
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3604
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3440
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5060
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1564
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4600
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:1704
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1392
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2144
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3560
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5080
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2472
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:2116
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1096
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:3104
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3792
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4604
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1256
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 880
        6⤵
        Checks processor information in registry
        
        PID:988
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3276
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5080
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1328
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:684
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4276
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4092
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2656
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2712
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4612
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1976
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1428
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5004
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1556
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4556
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4664
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3504
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2688
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2372
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1776
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2796
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1328
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3112
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:3972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4620
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3980
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1408
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1340
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1684
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3604
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:376
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2396
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2944
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:2840
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3684
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2296
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2180
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:388
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3848
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4856
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4224
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3132
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1728
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:1684
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5016
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1156
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2496
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:384
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:372
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Drops file in Windows directory
        
        PID:4528
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5032
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5044
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4524
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4276
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:2968
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4088
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2796
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5004
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Enumerates system info in registry
        
        PID:1344
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4464
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1524
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3160
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5016
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3880
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4032
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4092
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:536
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3020
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1156
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1916
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:2584
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1556
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        Checks processor information in registry
        
        PID:1076
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5044
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4768
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3992
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1120
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:376
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 876
        6⤵
        
        PID:4016
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1428
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 880
        6⤵
        
        PID:3568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3020
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:536
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3468
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2168
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4528
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2240
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2000
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1492
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4300
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3276
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4016
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3780
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1876
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4368
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3288
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1500
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3684
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2844
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1120
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3992
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2508
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:220
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4664
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2968
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1856
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3272
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4368
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2868
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3504
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3584
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5044
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4744
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2296
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2828
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4920
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2976
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4816
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3964
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:428
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1172
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2560
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:796
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1952
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5060
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1704
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4684
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:852
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:908
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1096
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1300
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5004
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1184
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3560
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4556
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2256
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4152
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3604
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3648
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2200
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4944
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2796
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5076
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4820
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1300
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2612
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3560
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2240
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4092
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2260
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1408
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4752
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1156
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4300
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3112
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1956
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2712
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1268
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:380
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5088
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2268
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:908
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:1336
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1564
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3604
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1116
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4024
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:796
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3272
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1748
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:456
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5088
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4276
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2628
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1876
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3584
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4224
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:908
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3568
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4752
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4760
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2264
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2520
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:784
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4532
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3780
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 876
        6⤵
        
        PID:2788
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4820
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5044
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1184
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 876
        6⤵
        
        PID:2168
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4416
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2152
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1776
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4300
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3440
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2584
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3956
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1524
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4600
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:928
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2160
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3560
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:380
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3644
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3288
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4768
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3160
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2168
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4092
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4300
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3556
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1956
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2584
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:636
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:712
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4236
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3164
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2972
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5040
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3252
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4640
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3584
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3888
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3344
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4832
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2288
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3280
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3648
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:5008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1096
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3096
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4736
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1524
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1284
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3808
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2844
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4920
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4472
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5052
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2968
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3244
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 880
        6⤵
        
        PID:3292
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4680
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 868
        6⤵
        
        PID:1112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4088
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 876
        6⤵
        
        PID:4652
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3464
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2584
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:532
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2256
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1428
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3560
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4932
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:660
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5068
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4388
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3484
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2132
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3972
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2240
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4612
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:428
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:388
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:928
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1184
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4432
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1996
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1564
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:660
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4628
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3524
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:5052
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2132
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3780
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 876
        6⤵
        
        PID:2160
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:468
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3284
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3572
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:3164
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:4224
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:3784
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:1140
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:1968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 872
        6⤵
        
        PID:2184
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:4832
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:1208
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
        5⤵
        
        PID:2012
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1424
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2472
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3992
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:380
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:2932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3604
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:1428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1528
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:1048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 876
      4⤵
      PID:2064
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:2496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1876
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:2180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3300
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:1680
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4856
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:1976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4836
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:3464
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:1424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:2064
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4088
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:1184
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3300
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:4920
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:2168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 876
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:3932
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:2896
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:4456
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:4484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:3200
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2828
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:4852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3788
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:3560
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 896
      4⤵
      PID:2396
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:4268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:3108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:1156
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Drops file in Windows directory
      PID:1408
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:3504
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4640
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:216
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:232
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3292
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - Executes dropped EXE
    PID:1528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4152
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2260
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2304
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2164
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3112
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:3464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:5008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:5076
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:3728
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:428
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3252
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4680
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:3272
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:1076
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4276
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:212
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:4944
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4140
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2788
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4620
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Drops file in Windows directory
      Checks processor information in registry
      PID:5004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2796
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4508
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:4152
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:1956
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4472
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3620
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3464
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:4304
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:516
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:2076
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1156
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:412
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:4400
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2344
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4092
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4652
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:4416
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1344
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 876
      4⤵
      PID:1748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1308
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 880
      4⤵
      System Location Discovery: System Language Discovery
      PID:2296
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2272
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:1856
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:4080
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:1712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4556
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:2712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2144
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:2180
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2052
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2968
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2628
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 876
      4⤵
      PID:4804
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:1972
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:4092
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3604
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:2576
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3132
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:5028
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1340
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:1116
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:3468
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3812
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:2180
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 868
      4⤵
      PID:3276
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:4276
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2264
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4556
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:5028
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5012
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1340
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3212
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2372
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3568
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1344
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2576
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3132
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:960
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2344
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2240
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:412
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:3620
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:384
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3484
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3584
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:5088
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:4268
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:5004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:4368
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:388
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:232
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4768
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2184
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:2984
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:4088
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:4604
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:932
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4372
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:4464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:212
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3504
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:3880
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:4476
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 292
      4⤵
      System Location Discovery: System Language Discovery
      PID:3972
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 868
      4⤵
      PID:4816
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3316
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:4772
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Drops file in Windows directory
      PID:4820
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2764
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:796
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5040
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:4944
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:3812
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4816
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4300
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:384
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      System Location Discovery: System Language Discovery
      PID:3848
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1184
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Enumerates system info in registry
      PID:2712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:3284
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      Checks processor information in registry
      PID:4556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3440
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4924
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1352
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4532
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:5004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2344
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1336
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:5076
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2384
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:376
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2200
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1340
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2012
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:5040
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2076
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:720
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3108
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:928
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5032
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3260
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2928
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4688
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2984
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4612
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3312
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3568
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2840
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4604
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2628
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2672
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3300
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1524
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2256
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3880
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4892
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2384
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2960
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2344
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2984
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4628
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3880
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4524
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1428
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2224
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4940
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3524
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:796
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3564
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4400
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2808
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3436
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4372
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3232
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1280
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:536
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2132
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3280
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3260
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3792
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:5032
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1268
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4940
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4240
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3980
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1280
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1704
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4492
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4308
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4892
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4932
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3648
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2976
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:636
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1892
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:960
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2796
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2844
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3496
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4852
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1280
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3660
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4628
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3436
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4744
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5076
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2788
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4616
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3524
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1140
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4152
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2880
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:384
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3772
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:372
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1604
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2180
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:852
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3684
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4576
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4760
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3436
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3248
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:5028
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1876
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4392
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2144
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2628
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4456
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4296
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:1856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:220
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4476
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:632
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3284
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4736
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4612
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1916
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4992
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2688
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4472
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4820
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1256
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1692
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4236
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4016
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:5016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3284
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3644
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2256
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2144
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2264
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1692
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:456
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:4680
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3648
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2224
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:1668
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:3992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3760
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4820
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:2256
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:4080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 872
      4⤵
      PID:3928
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe"
    3⤵
    PID:2896

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 2+OwpN+eIUKMXuTwLAcB1w.0.2
1⤵
PID:2296

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4552

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EC1.tmp.xml

Filesize
4KB

MD5
2b287e3309fa11d7a85f742cb1a666a5

SHA1
f818366a0bffb32bee781192a0d7657a4b72e152

SHA256
d827c6088334aafb249871e62a3a777614dcfbcc4db5d24efdd340a34802b6da

SHA512
ab77d0b0a4252df3275e83752c9d663158fbab1e9efbc1671f7f22779bf897911261f474cf9e0d9829de0ec2e23de6d60963c1e9ccd514275a0d9d627f061375

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2C9.tmp.xml

Filesize
4KB

MD5
eff2f29e7a3080be5680c48bc3258d4d

SHA1
fc86388653b075bf7cf979dd80f4fb6c7faf483f

SHA256
97c42f9f203705717464b8da9a1e6c15e37a1b08ae486e7262de13655cad0a15

SHA512
5f32a90612a9805b51777bcc606e948207a635ab111977b1389baa252b5b3cee0ddb5daaa7745839eb8002823d74d8edc912e5c55930919052096203316bb9bb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERABD0.tmp.WERInternalMetadata.xml

Filesize
7KB

MD5
879e02bb8e402b7aaf2c4519cc2f10f5

SHA1
ffa1c21b988257271c17d83bf7a9bb1330b8ede7

SHA256
3c5b366f001e03bd7dcb78d312176aa114d6ef6050e9f810c3114f398524d2b3

SHA512
a9a770d8073a0a166a7b8fff99f2dc3da29f8b414b4eaee58c5146ff0a93e95e30ca0cde172194cda468c0094a9c29f464b7cf6cca3041459cbdab7cbb30ce21

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC4C.tmp.xml

Filesize
4KB

MD5
e04f9b2a452c88dc7036c9c16e8e65b2

SHA1
73087310209a95f008df0482efe816cae2d6de6c

SHA256
ba25c83a982fafd0cab98c5fba05d669bfb01422f240d1deb07607ffe139691b

SHA512
6f4bf7fcf9c853846665894a5e65a78690f252d4ef8dbd37272982d47fa9fb02763512ef19d18016741419f5cb564ae696319b39e6142601195868745e68715b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
72430aae472e3d038e8c8f5ed2709c24

SHA1
11a71420af8009bd7946bf16735df2bfeab101f7

SHA256
482032e805814209fd2712d96ecb49129e166f8fc719d6e6fa3c405a66ee6429

SHA512
67efb8afed8b30665e1cfe1c906bddf7f937b1f538ef6d0d84d637b807a98c56270e5142a6f1658fca291133019574c6aaea8b78ff2d93b9d0987e6100631eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\d3dref9.exe

Filesize
7KB

MD5
882395953db028ddc33f5dd0382c8f3e

SHA1
0600e62a4e3c272d47509559dff523c32520a7d6

SHA256
0861c32cd83eae4fefaecc63a2054556b9b63384bcd839eca3dff5f122df85c7

SHA512
bc0d0fc45767fcc15330fbc19d035f37591cdb37eca924ba5750b31780d265ed1523f5842131949cccf024bef8f21123b8aa6c672677ec72e9cd0cb8f1f63c3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
1.7MB

MD5
b03ef6672d4f79c1f4293cf7758b5794

SHA1
02278477f16bbc31bea3e103ceb83bd03a19c9e1

SHA256
bde35d2817ab64fe26bfafc71b8e7c8d47ba08aa23d6ad15a26ff1ff3fbd99b7

SHA512
de00feaafde5ac26d280473d11f0638da374bba40f19379cfadfdca045598bdf682f1070d2a781ddfad2bba2848e63ab64308083401cb345147f2f08b68a2253

Download Submit
memory/2948-17-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/2948-18-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/2948-321-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/3316-992-0x00000000722E0000-0x0000000072363000-memory.dmp

Filesize
524KB

Download
memory/3316-3786-0x00000000722E0000-0x0000000072363000-memory.dmp

Filesize
524KB

Download
memory/4100-24-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/4100-26-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/4588-16-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4588-0-0x0000000074FE2000-0x0000000074FE3000-memory.dmp

Filesize
4KB

Download
memory/4588-2-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download
memory/4588-1-0x0000000074FE0000-0x0000000075591000-memory.dmp

Filesize
5.7MB

Download