ardamax | 0d80a74a32f6a4eabdc1deacae01089784122d99255f0b071d87dd95b59cbfea

Analysis

max time kernel
25s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
Size

2.0MB
MD5

b9fd9883b90c1269e5a3b163c5da1ae9
SHA1

18abd5d200df33c96181d1fa2e956fdb357c561a
SHA256

0d80a74a32f6a4eabdc1deacae01089784122d99255f0b071d87dd95b59cbfea
SHA512

0f962023614d1f00466a00a85d7e53d36a937633efd2b4edd089cae4eedb262cf13dd8651531d788e6c87fef44d4aeaea51c403d00831aa395d279aa8dbee91a
SSDEEP

49152:/wddN8pT4QCOJ9TzmrJU6wucnErlH8TboegVg9Q:oV8pTswmrJRwucErt8Tbo9

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016dbd-43.dat	family_ardamax
behavioral1/files/0x0006000000016de2-123.dat	family_ardamax

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe

Executes dropped EXE 64 IoCs

pid	Process
688	Install.exe
2268	Unlocker.exe
2972	setup_akl.exe
2836	Install.exe
2656	setup_akl.exe
2696	ICXH.exe
2716	Unlocker.exe
2600	csmm.exe
2064	Install.exe
1692	Unlocker.exe
2724	setup_akl.exe
2940	ICXH.exe
1924	csmm.exe
3016	Unlocker.exe
3044	Install.exe
3032	setup_akl.exe
2636	ICXH.exe
1552	ICXH.exe
1764	Unlocker.exe
2644	setup_akl.exe
308	Install.exe
2120	Unlocker.exe
2200	setup_akl.exe
2764	Install.exe
2500	Unlocker.exe
2100	setup_akl.exe
860	Install.exe
580	Unlocker.exe
2140	ICXH.exe
924	Install.exe
996	setup_akl.exe
2084	ICXH.exe
2152	ICXH.exe
1472	Install.exe
2492	setup_akl.exe
104	Unlocker.exe
868	Unlocker.exe
2280	ICXH.exe
1148	ICXH.exe
2512	Install.exe
960	setup_akl.exe
2540	ICXH.exe
2688	Install.exe
2564	Unlocker.exe
2928	setup_akl.exe
1712	ICXH.exe
2756	Install.exe
1464	Unlocker.exe
2384	setup_akl.exe
3052	ICXH.exe
1724	Install.exe
1896	Unlocker.exe
2068	setup_akl.exe
2132	ICXH.exe
756	Install.exe
692	Unlocker.exe
524	setup_akl.exe
2336	ICXH.exe
2152	Install.exe
684	Unlocker.exe
3020	setup_akl.exe
1848	Install.exe
2184	setup_akl.exe
2100	ICXH.exe

Loads dropped DLL 64 IoCs

pid	Process
1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
688	Install.exe
688	Install.exe
688	Install.exe
688	Install.exe
1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
2972	setup_akl.exe
2972	setup_akl.exe
2972	setup_akl.exe
688	Install.exe
688	Install.exe
2972	setup_akl.exe
2972	setup_akl.exe
2972	setup_akl.exe
2972	setup_akl.exe
2656	setup_akl.exe
2656	setup_akl.exe
2656	setup_akl.exe
2836	Install.exe
2836	Install.exe
2836	Install.exe
2696	ICXH.exe
2696	ICXH.exe
2696	ICXH.exe
2268	Unlocker.exe
2268	Unlocker.exe
2716	Unlocker.exe
2716	Unlocker.exe
2716	Unlocker.exe
2836	Install.exe
2656	setup_akl.exe
2064	Install.exe
2064	Install.exe
2064	Install.exe
2656	setup_akl.exe
2064	Install.exe
2656	setup_akl.exe
1692	Unlocker.exe
1692	Unlocker.exe
1692	Unlocker.exe
2656	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
2600	csmm.exe
2600	csmm.exe
2836	Install.exe
2836	Install.exe
2940	ICXH.exe
2940	ICXH.exe
2940	ICXH.exe
2724	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
3016	Unlocker.exe
3016	Unlocker.exe
3016	Unlocker.exe
3044	Install.exe
3044	Install.exe
3044	Install.exe
2064	Install.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1080-2-0x0000000000400000-0x0000000000606000-memory.dmp	upx
behavioral1/files/0x0008000000015fa5-33.dat	upx
behavioral1/memory/2972-41-0x0000000000BF0000-0x0000000000D7C000-memory.dmp	upx
behavioral1/memory/1080-38-0x0000000000400000-0x0000000000606000-memory.dmp	upx
behavioral1/memory/2656-121-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2200-155-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2100-171-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2492-187-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2492-200-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/996-178-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/996-189-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2644-146-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3032-141-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2724-125-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2972-68-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2972-63-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/960-221-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2384-236-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2928-243-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2068-251-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2384-250-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2068-260-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/524-267-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3020-275-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2184-284-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1488-293-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2840-300-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1840-314-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/856-318-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1156-333-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2160-339-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1112-359-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3000-376-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1008-385-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2512-395-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1212-399-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2508-413-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2632-422-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1312-436-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3044-440-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2940-454-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2700-463-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2044-479-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1840-488-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2868-505-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2492-519-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1608-525-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2056-541-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3004-542-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2856-555-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1312-559-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/2676-588-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/1368-607-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3144-616-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3268-620-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3380-630-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3492-641-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3624-650-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3756-657-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3892-664-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/4016-672-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3080-676-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3160-693-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral1/memory/3364-701-0x0000000000400000-0x000000000058C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	ICXH.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	ICXH.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	ICXH.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2964	2716	WerFault.exe	35
1444	1764	WerFault.exe
1700	2120	WerFault.exe
2216	2500	WerFault.exe
1168	580	WerFault.exe
2292	104	WerFault.exe	71
1932	868	WerFault.exe
3048	3016	WerFault.exe
2648	1692	WerFault.exe
2956	2564	WerFault.exe	82
2636	1464	WerFault.exe	87
1660	1896	WerFault.exe	92
1744	692	WerFault.exe	97
2876	684	WerFault.exe	102
1344	1136	WerFault.exe	107
1448	2272	WerFault.exe	112
2596	1912	WerFault.exe	117
1528	2064	WerFault.exe	122
2832	1588	WerFault.exe	127
2600	1992	WerFault.exe	132
2096	2208	WerFault.exe	137
532	572	WerFault.exe	142
2872	3020	WerFault.exe	103
2184	1460	WerFault.exe	152
1740	2324	WerFault.exe
636	2836	WerFault.exe	162
960	2528	WerFault.exe	167
3008	1356	WerFault.exe	172
776	1852	WerFault.exe	177
2100	2752	WerFault.exe	182
2348	2996	WerFault.exe	186
2952	2496	WerFault.exe	192
2380	2740	WerFault.exe
2152	2128	WerFault.exe
1352	2508	WerFault.exe	207
2660	2428	WerFault.exe	211
2328	2664	WerFault.exe	217
3056	2028	WerFault.exe	222
892	2640	WerFault.exe
1868	2180	WerFault.exe	232
3064	2032	WerFault.exe	237
2584	308	WerFault.exe	242
2572	2076	WerFault.exe	221
2092	2668	WerFault.exe	252
2336	3036	WerFault.exe	257
2884	1648	WerFault.exe	262
2492	2728	WerFault.exe	266
992	2948	WerFault.exe	272
2512	760	WerFault.exe	277
3152	3120	WerFault.exe	282
3300	3260	WerFault.exe	287
3388	3368	WerFault.exe	292
3512	3484	WerFault.exe
3632	3592	WerFault.exe
3780	3740	WerFault.exe	307
3900	3868	WerFault.exe	312
4044	4008	WerFault.exe	317
2676	2068	WerFault.exe	322
3104	1368	WerFault.exe	326
3480	3272	WerFault.exe	332
3572	3524	WerFault.exe	337
3736	3692	WerFault.exe	342
3888	3796	WerFault.exe	347
4000	3940	WerFault.exe	352

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: 33	2696	ICXH.exe
Token: SeIncBasePriorityPrivilege	2696	ICXH.exe
Token: 33	2280	ICXH.exe
Token: SeIncBasePriorityPrivilege	2280	ICXH.exe
Token: 33	1712	ICXH.exe
Token: SeIncBasePriorityPrivilege	1712	ICXH.exe
Token: 33	2336	ICXH.exe
Token: SeIncBasePriorityPrivilege	2336	ICXH.exe
Token: 33	2252	ICXH.exe
Token: SeIncBasePriorityPrivilege	2252	ICXH.exe
Token: 33	2044	ICXH.exe
Token: SeIncBasePriorityPrivilege	2044	ICXH.exe
Token: 33	2904	ICXH.exe
Token: SeIncBasePriorityPrivilege	2904	ICXH.exe
Token: 33	476	ICXH.exe
Token: SeIncBasePriorityPrivilege	476	ICXH.exe
Token: 33	1568	ICXH.exe
Token: SeIncBasePriorityPrivilege	1568	ICXH.exe
Token: 33	280	ICXH.exe
Token: SeIncBasePriorityPrivilege	280	ICXH.exe
Token: 33	2312	ICXH.exe
Token: SeIncBasePriorityPrivilege	2312	ICXH.exe
Token: 33	884	ICXH.exe
Token: SeIncBasePriorityPrivilege	884	ICXH.exe
Token: 33	1920	ICXH.exe
Token: SeIncBasePriorityPrivilege	1920	ICXH.exe
Token: 33	3184	ICXH.exe
Token: SeIncBasePriorityPrivilege	3184	ICXH.exe
Token: 33	3556	ICXH.exe
Token: SeIncBasePriorityPrivilege	3556	ICXH.exe
Token: 33	3812	ICXH.exe
Token: SeIncBasePriorityPrivilege	3812	ICXH.exe
Token: 33	3380	ICXH.exe
Token: SeIncBasePriorityPrivilege	3380	ICXH.exe
Token: 33	3928	ICXH.exe
Token: SeIncBasePriorityPrivilege	3928	ICXH.exe
Token: 33	3468	ICXH.exe
Token: SeIncBasePriorityPrivilege	3468	ICXH.exe
Token: 33	3776	ICXH.exe
Token: SeIncBasePriorityPrivilege	3776	ICXH.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2268	Unlocker.exe
2600	csmm.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2268	Unlocker.exe
2600	csmm.exe
1924	csmm.exe
2696	ICXH.exe
2696	ICXH.exe
2696	ICXH.exe
2696	ICXH.exe
2696	ICXH.exe
2280	ICXH.exe
2280	ICXH.exe
2280	ICXH.exe
2280	ICXH.exe
2280	ICXH.exe
1712	ICXH.exe
1712	ICXH.exe
1712	ICXH.exe
1712	ICXH.exe
1712	ICXH.exe
2336	ICXH.exe
2336	ICXH.exe
2336	ICXH.exe
2336	ICXH.exe
2336	ICXH.exe
2252	ICXH.exe
2252	ICXH.exe
2252	ICXH.exe
2252	ICXH.exe
2252	ICXH.exe
2352	ICXH.exe
2352	ICXH.exe
2044	ICXH.exe
2044	ICXH.exe
2044	ICXH.exe
2044	ICXH.exe
2044	ICXH.exe
2904	ICXH.exe
2904	ICXH.exe
2904	ICXH.exe
2904	ICXH.exe
2904	ICXH.exe
476	ICXH.exe
476	ICXH.exe
476	ICXH.exe
476	ICXH.exe
476	ICXH.exe
1568	ICXH.exe
1568	ICXH.exe
1568	ICXH.exe
1568	ICXH.exe
1568	ICXH.exe
280	ICXH.exe
280	ICXH.exe
280	ICXH.exe
280	ICXH.exe
280	ICXH.exe
2076	ICXH.exe
2076	ICXH.exe
2312	ICXH.exe
2312	ICXH.exe
2312	ICXH.exe
2312	ICXH.exe
2312	ICXH.exe
2728	ICXH.exe
2728	ICXH.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 688	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	30
PID 1080 wrote to memory of 688	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	30
PID 1080 wrote to memory of 688	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	30
PID 1080 wrote to memory of 688	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	30
PID 1080 wrote to memory of 688	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	30
PID 1080 wrote to memory of 688	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	30
PID 1080 wrote to memory of 688	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	30
PID 1080 wrote to memory of 2268	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	31
PID 1080 wrote to memory of 2268	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	31
PID 1080 wrote to memory of 2268	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	31
PID 1080 wrote to memory of 2268	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	31
PID 1080 wrote to memory of 2972	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	32
PID 1080 wrote to memory of 2972	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	32
PID 1080 wrote to memory of 2972	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	32
PID 1080 wrote to memory of 2972	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	32
PID 1080 wrote to memory of 2972	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	32
PID 1080 wrote to memory of 2972	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	32
PID 1080 wrote to memory of 2972	1080	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	32
PID 688 wrote to memory of 2696	688	Install.exe	33
PID 688 wrote to memory of 2696	688	Install.exe	33
PID 688 wrote to memory of 2696	688	Install.exe	33
PID 688 wrote to memory of 2696	688	Install.exe	33
PID 688 wrote to memory of 2696	688	Install.exe	33
PID 688 wrote to memory of 2696	688	Install.exe	33
PID 688 wrote to memory of 2696	688	Install.exe	33
PID 2972 wrote to memory of 2836	2972	setup_akl.exe	162
PID 2972 wrote to memory of 2836	2972	setup_akl.exe	162
PID 2972 wrote to memory of 2836	2972	setup_akl.exe	162
PID 2972 wrote to memory of 2836	2972	setup_akl.exe	162
PID 2972 wrote to memory of 2836	2972	setup_akl.exe	162
PID 2972 wrote to memory of 2836	2972	setup_akl.exe	162
PID 2972 wrote to memory of 2836	2972	setup_akl.exe	162
PID 2972 wrote to memory of 2716	2972	setup_akl.exe	35
PID 2972 wrote to memory of 2716	2972	setup_akl.exe	35
PID 2972 wrote to memory of 2716	2972	setup_akl.exe	35
PID 2972 wrote to memory of 2716	2972	setup_akl.exe	35
PID 2972 wrote to memory of 2716	2972	setup_akl.exe	35
PID 2972 wrote to memory of 2716	2972	setup_akl.exe	35
PID 2972 wrote to memory of 2716	2972	setup_akl.exe	35
PID 2972 wrote to memory of 2656	2972	setup_akl.exe	36
PID 2972 wrote to memory of 2656	2972	setup_akl.exe	36
PID 2972 wrote to memory of 2656	2972	setup_akl.exe	36
PID 2972 wrote to memory of 2656	2972	setup_akl.exe	36
PID 2972 wrote to memory of 2656	2972	setup_akl.exe	36
PID 2972 wrote to memory of 2656	2972	setup_akl.exe	36
PID 2972 wrote to memory of 2656	2972	setup_akl.exe	36
PID 2268 wrote to memory of 2600	2268	Unlocker.exe	134
PID 2268 wrote to memory of 2600	2268	Unlocker.exe	134
PID 2268 wrote to memory of 2600	2268	Unlocker.exe	134
PID 2268 wrote to memory of 2600	2268	Unlocker.exe	134
PID 2656 wrote to memory of 2064	2656	setup_akl.exe	122
PID 2656 wrote to memory of 2064	2656	setup_akl.exe	122
PID 2656 wrote to memory of 2064	2656	setup_akl.exe	122
PID 2656 wrote to memory of 2064	2656	setup_akl.exe	122
PID 2656 wrote to memory of 2064	2656	setup_akl.exe	122
PID 2656 wrote to memory of 2064	2656	setup_akl.exe	122
PID 2656 wrote to memory of 2064	2656	setup_akl.exe	122
PID 2656 wrote to memory of 1692	2656	setup_akl.exe	39
PID 2656 wrote to memory of 1692	2656	setup_akl.exe	39
PID 2656 wrote to memory of 1692	2656	setup_akl.exe	39
PID 2656 wrote to memory of 1692	2656	setup_akl.exe	39
PID 2656 wrote to memory of 1692	2656	setup_akl.exe	39
PID 2656 wrote to memory of 1692	2656	setup_akl.exe	39
PID 2656 wrote to memory of 1692	2656	setup_akl.exe	39

C:\Users\Admin\AppData\Local\Temp\b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\Sys32\ICXH.exe
    "C:\Windows\system32\Sys32\ICXH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2696
- C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
  "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\csmm.exe
    C:\Windows\system32\csmm.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2600
  - - C:\Windows\SysWOW64\csmm.exe
      C:\Windows\system32\csmm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1924
- C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2836
  - - C:\Windows\SysWOW64\Sys32\ICXH.exe
      "C:\Windows\system32\Sys32\ICXH.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2940
- - C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
    "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 276
      4⤵
      Program crash
      PID:2964
- - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2064
    - - C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        5⤵
        Executes dropped EXE
        
        PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
      "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 276
        5⤵
        Program crash
        
        PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2724
    - - C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3044
      - C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        6⤵
        Executes dropped EXE
        
        PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3016
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 276
        6⤵
        Program crash
        
        PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        5⤵
        Executes dropped EXE
        
        PID:3032
      - C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        6⤵
        Executes dropped EXE
        
        PID:308
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        7⤵
        Executes dropped EXE
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        6⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 276
        7⤵
        Program crash
        
        PID:1444
      - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        6⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        7⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        8⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        7⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 276
        8⤵
        Program crash
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        8⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        9⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        8⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 276
        9⤵
        Program crash
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        8⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        9⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        10⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        9⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 276
        10⤵
        Program crash
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        9⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        10⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        10⤵
        Executes dropped EXE
        
        PID:104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 104 -s 276
        11⤵
        Program crash
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        10⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        12⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        11⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 276
        12⤵
        Program crash
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        12⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 276
        13⤵
        Program crash
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        12⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 276
        14⤵
        Program crash
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        13⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        14⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 276
        15⤵
        Program crash
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        14⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        15⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 276
        16⤵
        Program crash
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        15⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        16⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        17⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 276
        17⤵
        Program crash
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        18⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        17⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 276
        18⤵
        Program crash
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        17⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        18⤵
        
        PID:560
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        19⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 276
        19⤵
        Program crash
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        18⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        19⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        20⤵
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        19⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 276
        20⤵
        Program crash
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        19⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        20⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        21⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        20⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 276
        21⤵
        Program crash
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        20⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        21⤵
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        22⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        21⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 276
        22⤵
        Program crash
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        21⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        22⤵
        Drops file in System32 directory
        
        PID:1356
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        23⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        22⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 276
        23⤵
        Program crash
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        22⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        23⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        24⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        23⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 276
        24⤵
        Program crash
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        23⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        24⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        25⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        24⤵
        
        PID:572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 276
        25⤵
        Program crash
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        24⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        25⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        26⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        25⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 276
        26⤵
        Program crash
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        26⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        27⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        26⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 276
        27⤵
        Program crash
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        27⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        28⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        27⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 276
        28⤵
        Program crash
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        27⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        28⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        29⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        28⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 276
        29⤵
        Program crash
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        29⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        30⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        29⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 276
        30⤵
        Program crash
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        29⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        30⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        31⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        30⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 276
        31⤵
        Program crash
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        30⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        31⤵
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        32⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        31⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 276
        32⤵
        Program crash
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        31⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        32⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        33⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        32⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 276
        33⤵
        Program crash
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        32⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        33⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        34⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        33⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 276
        34⤵
        Program crash
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        33⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        34⤵
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        35⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        34⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 276
        35⤵
        Program crash
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        34⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        35⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        35⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 276
        36⤵
        Program crash
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        35⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        36⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        37⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        36⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 276
        37⤵
        Program crash
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        36⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        37⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        38⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        37⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 276
        38⤵
        Program crash
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        37⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        38⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        39⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        38⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 276
        39⤵
        Program crash
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        38⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        39⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        40⤵
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 276
        40⤵
        Program crash
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        39⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        40⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        41⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        40⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 276
        41⤵
        Program crash
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        40⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        41⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        42⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        41⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 276
        42⤵
        Program crash
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        41⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        42⤵
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        43⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        42⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 276
        43⤵
        Program crash
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        42⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        43⤵
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        44⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        43⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 276
        44⤵
        Program crash
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        43⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        44⤵
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        44⤵
        
        PID:308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 276
        45⤵
        Program crash
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        44⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        45⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        46⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 276
        46⤵
        Program crash
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        45⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        46⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        47⤵
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        46⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 276
        47⤵
        Program crash
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        46⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        47⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        48⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        47⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 276
        48⤵
        Program crash
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        48⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        49⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        48⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 276
        49⤵
        Program crash
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        48⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        49⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        50⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        49⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 276
        50⤵
        Program crash
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        49⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        50⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        51⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        50⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 276
        51⤵
        Program crash
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        50⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        51⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        51⤵
        
        PID:760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 276
        52⤵
        Program crash
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        51⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        52⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        53⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        52⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 276
        53⤵
        Program crash
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        52⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        53⤵
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        54⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        53⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 276
        54⤵
        Program crash
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        53⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        54⤵
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        55⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        54⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 276
        55⤵
        Program crash
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        54⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        55⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        56⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        55⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 276
        56⤵
        Program crash
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        55⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        56⤵
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        57⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        56⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 276
        57⤵
        Program crash
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        56⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        57⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        58⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        57⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 276
        58⤵
        Program crash
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        58⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        59⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        58⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 276
        59⤵
        Program crash
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        59⤵
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        60⤵
        Adds Run key to start application
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        59⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 276
        60⤵
        Program crash
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        60⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        61⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        60⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 276
        61⤵
        Program crash
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        60⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        61⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        62⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        61⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 276
        62⤵
        Program crash
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        61⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        62⤵
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        63⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        62⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 276
        63⤵
        Program crash
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        62⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        63⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        64⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        63⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 276
        64⤵
        Program crash
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        63⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        64⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        65⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        64⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 276
        65⤵
        Program crash
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        64⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        65⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        66⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        65⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 276
        66⤵
        Program crash
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        65⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        66⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        67⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        66⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 276
        67⤵
        Program crash
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        66⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        68⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        67⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 276
        68⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        68⤵
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        69⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        68⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 276
        69⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        68⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        69⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        69⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 276
        70⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        70⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        71⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        70⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 276
        71⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        70⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        71⤵
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        72⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        71⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 276
        72⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        71⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        72⤵
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        73⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        72⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 276
        73⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        72⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        73⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        74⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        73⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 276
        74⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        73⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        74⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        75⤵
        Adds Run key to start application
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 276
        75⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        74⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        75⤵
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        76⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        75⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 276
        76⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        75⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        76⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 276
        77⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        76⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        77⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        77⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 276
        78⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        77⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        78⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        78⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 276
        79⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        78⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        79⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        79⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 276
        80⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        79⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        80⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        80⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 276
        81⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        80⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        81⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        81⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 276
        82⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        81⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        82⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        82⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 276
        83⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        82⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        83⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 276
        84⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        83⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        84⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        84⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 276
        85⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        84⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        85⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        85⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 276
        86⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        85⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        86⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 276
        87⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        87⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        87⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 276
        88⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        87⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        88⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        88⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 276
        89⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        88⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        89⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        89⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 276
        90⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        89⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        90⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 276
        91⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        90⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        91⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        91⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 276
        92⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        91⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        92⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        92⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 276
        93⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        92⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        93⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        93⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 276
        94⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        93⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        94⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        94⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 276
        95⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        94⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        95⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        95⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 276
        96⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        95⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        96⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 276
        97⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        96⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        97⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        97⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 276
        98⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        97⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        98⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        98⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 276
        99⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        98⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        99⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        99⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 276
        100⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        99⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        100⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        100⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 276
        101⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        100⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        101⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        101⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 276
        102⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        101⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        102⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        102⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 276
        103⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        102⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        103⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        103⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 276
        104⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        103⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        104⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        104⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 276
        105⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        105⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 276
        106⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        105⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        106⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        106⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 276
        107⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        106⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        107⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        107⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 276
        108⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        108⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        108⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 276
        109⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        108⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        109⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        109⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 276
        110⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        109⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        110⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        110⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 276
        111⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        110⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        111⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 276
        112⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        111⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        112⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        112⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 276
        113⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        112⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        113⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 276
        114⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        114⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        114⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 276
        115⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        114⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        115⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        115⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 276
        116⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        115⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        116⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 276
        117⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        116⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        117⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        117⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 276
        118⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        117⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        118⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 276
        119⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        118⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        119⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        119⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5424 -s 276
        120⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        119⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        120⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        120⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 276
        121⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        120⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        121⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        121⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 276
        122⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        121⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        122⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        122⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 276
        123⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        122⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:5696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 276
        124⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        123⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        124⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        124⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 276
        125⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        124⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        125⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        125⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 276
        126⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        125⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        126⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 276
        127⤵
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        126⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        127⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        127⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 276
        128⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        127⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        128⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        128⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 276
        129⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        128⤵
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        129⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        129⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 276
        130⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        129⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        130⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        130⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 276
        131⤵
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        130⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        131⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        131⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5296 -s 276
        132⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        132⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        132⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 276
        133⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        132⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        133⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        133⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 276
        134⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        133⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        134⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        134⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 276
        135⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        134⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        135⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        135⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 276
        136⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        135⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        136⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        136⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 276
        137⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        136⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        137⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 276
        138⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        137⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        138⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        138⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 276
        139⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        138⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        139⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 276
        140⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        139⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        140⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        140⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 276
        141⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        140⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        141⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        141⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 276
        142⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        141⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        142⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        142⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 276
        143⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        142⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        143⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        143⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 276
        144⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        143⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        144⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        144⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6148 -s 276
        145⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        144⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        145⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        145⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6212 -s 276
        146⤵
        
        PID:6256
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        145⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        146⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        146⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 276
        147⤵
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        146⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        147⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 276
        148⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        147⤵
        
        PID:6348
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        148⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        148⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 276
        149⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        148⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        149⤵
        
        PID:6528
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        149⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 276
        150⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        149⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        150⤵
        
        PID:6600
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        150⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6620 -s 276
        151⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        151⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        151⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6692 -s 276
        152⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        151⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        152⤵
        
        PID:6736
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        152⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 276
        153⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        152⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        153⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        153⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 276
        154⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        154⤵
        
        PID:6872
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        154⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 276
        155⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        154⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        155⤵
        
        PID:6936
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 276
        156⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        155⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        156⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        156⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7032 -s 276
        157⤵
        
        PID:7080
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        156⤵
        
        PID:7040
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        157⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 276
        158⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        157⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        158⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        158⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 276
        159⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        158⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        159⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        159⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 276
        160⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        159⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        160⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        160⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 276
        161⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        160⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 276
        162⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        162⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:6828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6828 -s 276
        163⤵
        
        PID:6896
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        162⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        163⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        163⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6888 -s 276
        164⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        163⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        164⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 276
        165⤵
        
        PID:6368
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        164⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        165⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        165⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 276
        166⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        165⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        166⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        166⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 276
        167⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        166⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        167⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        167⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6548 -s 276
        168⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        167⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        168⤵
        
        PID:6860
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6892 -s 276
        169⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        168⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        169⤵
        
        PID:7024
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        169⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6300 -s 276
        170⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        169⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        170⤵
        
        PID:6348
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        170⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 276
        171⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        170⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        171⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        171⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6904 -s 276
        172⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:6248
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        172⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        172⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 276
        173⤵
        
        PID:7196
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        172⤵
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        173⤵
        
        PID:7220
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        173⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7228 -s 276
        174⤵
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        173⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        174⤵
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        174⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7324 -s 276
        175⤵
        
        PID:7356
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        174⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        175⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7432 -s 276
        176⤵
        
        PID:7444
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        175⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        176⤵
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        176⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 276
        177⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        176⤵
        
        PID:7540
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        177⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        177⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 276
        178⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        177⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        178⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        178⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 276
        179⤵
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        178⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        179⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        179⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7716 -s 276
        180⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        179⤵
        
        PID:7728
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        180⤵
        
        PID:7772
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        180⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 276
        181⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        180⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        181⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        181⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 276
        182⤵
        
        PID:7884
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        181⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        182⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        182⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7912 -s 276
        183⤵
        
        PID:7948
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        182⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        183⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        183⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 276
        184⤵
        
        PID:8048
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        183⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        184⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        184⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8072 -s 276
        185⤵
        
        PID:8108
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        184⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        185⤵
        
        PID:8128
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        185⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8136 -s 276
        186⤵
        
        PID:8184
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        185⤵
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        186⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        186⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 276
        187⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        186⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        187⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        187⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 276
        188⤵
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        187⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        188⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        188⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7440 -s 276
        189⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        188⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        189⤵
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        189⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7640 -s 276
        190⤵
        
        PID:7688
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        189⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        190⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        190⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7764 -s 276
        191⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        190⤵
        
        PID:7728
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        191⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        191⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7820 -s 276
        192⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        191⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        192⤵
        
        PID:7924
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        192⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7956 -s 276
        193⤵
        
        PID:8080
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        192⤵
        
        PID:8028
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        193⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        193⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8160 -s 276
        194⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        193⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        194⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        194⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 276
        195⤵
        
        PID:7236
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        194⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        195⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        195⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 276
        196⤵
        
        PID:7736
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        195⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        196⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        196⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8032 -s 276
        197⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        196⤵
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        197⤵
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        197⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 276
        198⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        197⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        198⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        198⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7892 -s 276
        199⤵
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        198⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        199⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        199⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7596 -s 276
        200⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        199⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        200⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        200⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 276
        201⤵
        
        PID:8212
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        200⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        201⤵
        
        PID:8240
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        201⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8252 -s 276
        202⤵
        
        PID:8292
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        201⤵
        
        PID:8260
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        202⤵
        
        PID:8308
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        202⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8316 -s 276
        203⤵
        
        PID:8356
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        202⤵
        
        PID:8324
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        203⤵
        
        PID:8376
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        203⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8384 -s 276
        204⤵
        
        PID:8408
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        203⤵
        
        PID:8392
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        204⤵
        
        PID:8448
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        204⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8456 -s 276
        205⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        204⤵
        
        PID:8464
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        205⤵
        
        PID:8508
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        205⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8516 -s 276
        206⤵
        
        PID:8552
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        205⤵
        
        PID:8524
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        206⤵
        
        PID:8576
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        206⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8588 -s 276
        207⤵
        
        PID:8644
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        206⤵
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        207⤵
        
        PID:8660
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        207⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8668 -s 276
        208⤵
        
        PID:8712
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        207⤵
        
        PID:8676
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        208⤵
        
        PID:8736
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        208⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8748 -s 276
        209⤵
        
        PID:8780
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        208⤵
        
        PID:8756
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        209⤵
        
        PID:8804
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        209⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8812 -s 276
        210⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        209⤵
        
        PID:8820
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        210⤵
        
        PID:8876
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        210⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8884 -s 276
        211⤵
        
        PID:8916
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        210⤵
        
        PID:8892
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        211⤵
        
        PID:8940
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        211⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8956 -s 276
        212⤵
        
        PID:8972
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        211⤵
        
        PID:8996
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        212⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        212⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9056 -s 276
        213⤵
        
        PID:9084
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        212⤵
        
        PID:9064
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        213⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        213⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9112 -s 276
        214⤵
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        213⤵
        
        PID:9120
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        214⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        214⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9168 -s 276
        215⤵
        
        PID:9192
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        214⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        215⤵
        
        PID:8200
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        215⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8232 -s 276
        216⤵
        
        PID:8268
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        215⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        216⤵
        
        PID:8324
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        216⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8404 -s 276
        217⤵
        
        PID:8540
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        216⤵
        
        PID:8444
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        217⤵
        
        PID:8432
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        217⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8608 -s 276
        218⤵
        
        PID:8656
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        217⤵
        
        PID:8564
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        218⤵
        
        PID:8700
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        218⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8732 -s 276
        219⤵
        
        PID:8800
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        218⤵
        
        PID:8676
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        219⤵
        
        PID:8828
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        219⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8872 -s 276
        220⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        219⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        220⤵
        
        PID:8984
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        220⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9008 -s 276
        221⤵
        
        PID:9200
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        220⤵
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        221⤵
        
        PID:8444
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        221⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8528 -s 276
        222⤵
        
        PID:8568
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        221⤵
        
        PID:8764
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        222⤵
        
        PID:8720
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        222⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8900 -s 276
        223⤵
        
        PID:8892
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        222⤵
        
        PID:8820
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        223⤵
        
        PID:8368
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        223⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8620 -s 276
        224⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        223⤵
        
        PID:8708
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        224⤵
        
        PID:8764
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        224⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8464 -s 276
        225⤵
        
        PID:9236
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        224⤵
        
        PID:9292
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        225⤵
        
        PID:9332
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        225⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9340 -s 276
        226⤵
        
        PID:9368
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        225⤵
        
        PID:9352
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        226⤵
        
        PID:9408
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        226⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9416 -s 276
        227⤵
        
        PID:9456
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        226⤵
        
        PID:9424
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        227⤵
        
        PID:9492
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        227⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9500 -s 276
        228⤵
        
        PID:9532
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        227⤵
        
        PID:9508
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        228⤵
        
        PID:9596
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        228⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9604 -s 276
        229⤵
        
        PID:9624
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        228⤵
        
        PID:9612
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        229⤵
        
        PID:9672
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        229⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9680 -s 276
        230⤵
        
        PID:9712
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        229⤵
        
        PID:9688
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        230⤵
        
        PID:9736
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        230⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9748 -s 276
        231⤵
        
        PID:9772
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        230⤵
        
        PID:9756
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        231⤵
        
        PID:9804
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        231⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9816 -s 276
        232⤵
        
        PID:9888
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        231⤵
        
        PID:9832
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        232⤵
        
        PID:9880
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        232⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9900 -s 276
        233⤵
        
        PID:9940
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        232⤵
        
        PID:9916
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        233⤵
        
        PID:10000
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        233⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10012 -s 276
        234⤵
        
        PID:10048
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        233⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        234⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        234⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10116 -s 276
        235⤵
        
        PID:10136
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        234⤵
        
        PID:10124
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        235⤵
        
        PID:10180
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        235⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10200 -s 276
        236⤵
        
        PID:10220
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        235⤵
        
        PID:10208
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        236⤵
        
        PID:9244
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        236⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8484 -s 276
        237⤵
        
        PID:9296
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        236⤵
        
        PID:8756
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        237⤵
        
        PID:9356
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        237⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9396 -s 276
        238⤵
        
        PID:9452
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        237⤵
        
        PID:9436
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        238⤵
        
        PID:9424
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        238⤵
        
        PID:9528
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        238⤵
        
        PID:9572
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        239⤵
        
        PID:9660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@CF42.tmp

Filesize
883KB

MD5
ab82ed64c95b3f60dbaa8f8b7c99e493

SHA1
a6c714238ba136210b08266370b5ebb685e25bd1

SHA256
2f2e41bcf7a3b90c3336fef27d226d10ae32410a943794f694ca583554b1e360

SHA512
91fa7fa2c7211a3357700e8749e5ea5ddd06a364d7c6b63047fb126ff71bc07b8bb674c289b09c926b0b2c609b4410c15acdfd548e0db0e54659312375041394

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_akl.exe

Filesize
1.4MB

MD5
5e7c6347cf2b6f288aa9df498b2c59fd

SHA1
5cd660eab61c5ab020f860f1f93b6c81ad1c9b03

SHA256
1be6fa8e86cd73eae85bf4d687ff83750d6373b40927f5b033bd36ff2338cd6b

SHA512
f189a4cbb58ddc888b2446ab1db26a93330548d83365236df24aa015f1d00411850e33add0d9498d8fea9b38d29db7c1b0ced727132c5ea2c6553b896940d013

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
869461e168a87283a8782e70f5d5a3a8

SHA1
ab189b5f2682ae66162226b4f646b1e80486c653

SHA256
992cb5ea845b2d24c02f4e40873bf4ebd7b58b57ae2e001907228af4879e575b

SHA512
e4e77e07eb0ef2adb6d5ebdb9629f4632c417cf3d1a22e4c414b806bfbd259df13f6c88265f9346ed2b22bf67eb3d63924d86767c8508be4abdc9067f15a82ae

Download Submit
C:\Windows\SysWOW64\Sys32\ICXH.001

Filesize
392B

MD5
868deb7dab6539d8b3c540eadeb43b7d

SHA1
bb5488cad80269de199a1151115bd2e768a5bc60

SHA256
3efeeb8fd45cdf87c21c1f71805b36be0ccc2a08ae94e339a91a72dc5bd5a22e

SHA512
04ae38e942b0c8d82291925364a82f26c2ca738d3745871d8d98a1f52909aa2537f7fc49c291731d3b38e9d762d22f89f20c61634754ce978cdbfbe8e20cad18

Download Submit
C:\Windows\SysWOW64\Sys32\ICXH.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
C:\Windows\SysWOW64\Sys32\ICXH.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
C:\Windows\SysWOW64\csmm.exe

Filesize
41KB

MD5
db78fc437ec12cf858aee485e92a2988

SHA1
f2641c87ebfa1dd3bb137b3010f9d3e5e8f7f028

SHA256
709ca0c2fec64cb2ac5edd43622e673039fea2ce23591d9a4b00350acb42eff1

SHA512
f7917e65017ac77fe9195427bff0c2529e6bf2c48b0176771d82c7d1dbe0dbb2856c8f09f46d7670efb989fa72686485b352a60243798ef7510bfcdeb74b1184

Download Submit
\Users\Admin\AppData\Local\Temp\@CE47.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
480KB

MD5
e33368d0f5f45a64d7252595ae31e62a

SHA1
0bc7d95bb41f6f53afca4ceb8eaf8adbde5bccda

SHA256
069f18745b07b06046157fd68c3eefc1edda9c29a7f078b594cf102f51b6168c

SHA512
5f7596ecc4b9e35844909cf7843e7838e7cc7e97310215c8ae30c16568f26ec058a7419144a7b0cfdb712009372b846662a098a38f01f21d8e469824662eaaab

Download Submit
\Users\Admin\AppData\Local\Temp\Unlocker.exe

Filesize
41KB

MD5
460f39e8eace24e8b454a11ab8c12f04

SHA1
b8e3d1a34dba0b79a943e3337d62354c4d5745b0

SHA256
80c7be9f2c88b5609d4784af951b470c9fcbaa1f665ac364d2040181fa2b2eae

SHA512
d485dd360cac57c6b02d7ff99d2768be4f43d7433c053e073d74121a86ba6805712d3a187963bb8aea048dddde233c84091f68283e8fb22dbd281869c01be23f

Download Submit
\Windows\SysWOW64\Sys32\ICXH.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
memory/524-267-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/856-318-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/960-204-0x0000000000BE0000-0x0000000000D6C000-memory.dmp

Filesize
1.5MB

Download
memory/960-221-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/960-203-0x0000000000BE0000-0x0000000000D6C000-memory.dmp

Filesize
1.5MB

Download
memory/996-186-0x0000000002940000-0x0000000002ACC000-memory.dmp

Filesize
1.5MB

Download
memory/996-180-0x0000000000AA0000-0x0000000000C2C000-memory.dmp

Filesize
1.5MB

Download
memory/996-179-0x0000000000AA0000-0x0000000000C2C000-memory.dmp

Filesize
1.5MB

Download
memory/996-178-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/996-189-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/996-181-0x0000000000AA0000-0x0000000000C2C000-memory.dmp

Filesize
1.5MB

Download
memory/1008-385-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1080-2-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1080-38-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/1112-359-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1156-333-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1212-399-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1312-559-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1312-436-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1368-607-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1488-293-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1608-525-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1840-488-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1840-314-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2044-479-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2056-541-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2068-251-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2068-260-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2100-171-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2160-339-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2184-284-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2200-155-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2384-236-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2384-237-0x0000000000A00000-0x0000000000B8C000-memory.dmp

Filesize
1.5MB

Download
memory/2384-238-0x0000000000A00000-0x0000000000B8C000-memory.dmp

Filesize
1.5MB

Download
memory/2384-250-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2492-519-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2492-187-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2492-190-0x0000000000B50000-0x0000000000CDC000-memory.dmp

Filesize
1.5MB

Download
memory/2492-200-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2492-192-0x0000000000B50000-0x0000000000CDC000-memory.dmp

Filesize
1.5MB

Download
memory/2492-191-0x0000000000B50000-0x0000000000CDC000-memory.dmp

Filesize
1.5MB

Download
memory/2508-413-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2512-395-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2632-422-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2644-146-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2656-121-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2676-588-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2700-463-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2724-125-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2840-300-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2856-555-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2868-505-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2928-218-0x00000000009F0000-0x0000000000B7C000-memory.dmp

Filesize
1.5MB

Download
memory/2928-220-0x00000000009F0000-0x0000000000B7C000-memory.dmp

Filesize
1.5MB

Download
memory/2928-243-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2940-454-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2972-68-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2972-177-0x0000000000BF0000-0x0000000000D7C000-memory.dmp

Filesize
1.5MB

Download
memory/2972-41-0x0000000000BF0000-0x0000000000D7C000-memory.dmp

Filesize
1.5MB

Download
memory/2972-63-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3000-376-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3004-542-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3020-275-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3032-141-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3044-440-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3080-676-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3144-616-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3160-693-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3268-620-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3364-701-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3380-630-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3492-641-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3504-707-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3624-650-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3648-716-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3756-657-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3824-732-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3892-664-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4016-672-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads