ardamax | 0d80a74a32f6a4eabdc1deacae01089784122d99255f0b071d87dd95b59cbfea

Analysis

max time kernel
24s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
Size

2.0MB
MD5

b9fd9883b90c1269e5a3b163c5da1ae9
SHA1

18abd5d200df33c96181d1fa2e956fdb357c561a
SHA256

0d80a74a32f6a4eabdc1deacae01089784122d99255f0b071d87dd95b59cbfea
SHA512

0f962023614d1f00466a00a85d7e53d36a937633efd2b4edd089cae4eedb262cf13dd8651531d788e6c87fef44d4aeaea51c403d00831aa395d279aa8dbee91a
SSDEEP

49152:/wddN8pT4QCOJ9TzmrJU6wucnErlH8TboegVg9Q:oV8pTswmrJRwucErt8Tbo9

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233e3-41.dat	family_ardamax
behavioral2/files/0x00070000000233e7-88.dat	family_ardamax

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\system32\\csmm.exe"	csmm.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	setup_akl.exe

Executes dropped EXE 64 IoCs

pid	Process
1080	Install.exe
3440	Unlocker.exe
3864	setup_akl.exe
3716	csmm.exe
4312	ICXH.exe
4804	Install.exe
2712	setup_akl.exe
1236	Unlocker.exe
1468	csmm.exe
228	ICXH.exe
1184	Install.exe
1864	Unlocker.exe
1904	setup_akl.exe
1376	csmm.exe
2436	ICXH.exe
2616	Unlocker.exe
2412	setup_akl.exe
3216	Install.exe
3332	csmm.exe
3600	Install.exe
5116	Unlocker.exe
2572	setup_akl.exe
4856	csmm.exe
3208	csmm.exe
2600	Install.exe
2144	Unlocker.exe
4724	setup_akl.exe
2480	Install.exe
1372	Unlocker.exe
2128	setup_akl.exe
2328	ICXH.exe
4404	csmm.exe
4988	ICXH.exe
3672	ICXH.exe
3556	csmm.exe
2504	ICXH.exe
2536	Install.exe
464	Unlocker.exe
3708	setup_akl.exe
2472	Install.exe
1152	ICXH.exe
4084	Unlocker.exe
2396	setup_akl.exe
1924	csmm.exe
2652	ICXH.exe
2348	Install.exe
1448	Unlocker.exe
2816	setup_akl.exe
1964	csmm.exe
3228	ICXH.exe
380	Install.exe
5072	Unlocker.exe
3208	setup_akl.exe
3580	csmm.exe
3112	ICXH.exe
2120	Install.exe
4576	Unlocker.exe
4992	csmm.exe
2904	setup_akl.exe
4280	ICXH.exe
3284	Install.exe
1984	Unlocker.exe
4528	setup_akl.exe
2888	csmm.exe

Loads dropped DLL 64 IoCs

pid	Process
1080	Install.exe
4804	Install.exe
4312	ICXH.exe
228	ICXH.exe
2712	setup_akl.exe
1184	Install.exe
4312	ICXH.exe
4312	ICXH.exe
3216	Install.exe
3600	Install.exe
2600	Install.exe
2480	Install.exe
2536	Install.exe
2472	Install.exe
1152	ICXH.exe
2348	Install.exe
1152	ICXH.exe
1152	ICXH.exe
1448	Unlocker.exe
1448	Unlocker.exe
1448	Unlocker.exe
2816	setup_akl.exe
2816	setup_akl.exe
2816	setup_akl.exe
1964	csmm.exe
1964	csmm.exe
1964	csmm.exe
1924	csmm.exe
1924	csmm.exe
1924	csmm.exe
4084	Unlocker.exe
4084	Unlocker.exe
4084	Unlocker.exe
2348	Install.exe
2348	Install.exe
2348	Install.exe
2348	Install.exe
3228	ICXH.exe
3228	ICXH.exe
3228	ICXH.exe
3628	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
380	Install.exe
5072	Unlocker.exe
5072	Unlocker.exe
5072	Unlocker.exe
380	Install.exe
380	Install.exe
380	Install.exe
380	Install.exe
3208	setup_akl.exe
3208	setup_akl.exe
3208	setup_akl.exe
3580	csmm.exe
3580	csmm.exe
3580	csmm.exe
3112	ICXH.exe
3112	ICXH.exe
3112	ICXH.exe
2120	Install.exe
4576	Unlocker.exe
4576	Unlocker.exe
4576	Unlocker.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4180-0-0x0000000000400000-0x0000000000606000-memory.dmp	upx
behavioral2/files/0x00070000000233dc-30.dat	upx
behavioral2/memory/3864-34-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4180-37-0x0000000000400000-0x0000000000606000-memory.dmp	upx
behavioral2/memory/2712-73-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3864-75-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2712-100-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/1904-98-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/1904-117-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2412-114-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2412-138-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2572-137-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2572-156-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2128-181-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4724-190-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2128-213-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3708-211-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2396-223-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3708-227-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2396-243-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3208-253-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2816-257-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3208-272-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2904-271-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2904-284-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4528-285-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4536-306-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4528-308-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4536-321-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4804-322-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/628-335-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4804-338-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/1832-354-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/628-356-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/1832-364-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4780-374-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/404-375-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4716-393-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/404-396-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/4716-414-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2536-412-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/1468-426-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2536-428-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3680-449-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3680-459-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/5012-457-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/5012-478-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2904-474-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2904-484-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3456-505-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/1488-500-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/1488-520-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2420-521-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3332-542-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2420-543-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3332-554-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2120-555-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2120-572-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2612-570-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2612-576-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2656-580-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/1212-604-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/2656-606-0x0000000000400000-0x000000000058C000-memory.dmp	upx
behavioral2/memory/3128-615-0x0000000000400000-0x000000000058C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ICXH Agent = "C:\\Windows\\SysWOW64\\Sys32\\ICXH.exe"	ICXH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	ICXH.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	ICXH.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	ICXH.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\Sys32\ICXH.001	Install.exe
File created	C:\Windows\SysWOW64\Sys32\ICXH.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	csmm.exe
File opened for modification	C:\Windows\SysWOW64\csmm.exe	Unlocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2748	4312	WerFault.exe	90
2716	4312	WerFault.exe	90
3628	1152	WerFault.exe	131
3812	1120	WerFault.exe	171
4812	1120	WerFault.exe	171
5112	3164	WerFault.exe	212
4812	3164	WerFault.exe	212
3800	868	WerFault.exe	247
1376	868	WerFault.exe	247
8004	7800	WerFault.exe	907
7468	8304	WerFault.exe	935
6684	8304	WerFault.exe	935
5476	5220	WerFault.exe	973
8052	5220	WerFault.exe	973

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ICXH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Unlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csmm.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: 33	4312	ICXH.exe
Token: SeIncBasePriorityPrivilege	4312	ICXH.exe
Token: 33	1152	ICXH.exe
Token: SeIncBasePriorityPrivilege	1152	ICXH.exe
Token: 33	4280	ICXH.exe
Token: SeIncBasePriorityPrivilege	4280	ICXH.exe
Token: 33	3672	ICXH.exe
Token: SeIncBasePriorityPrivilege	3672	ICXH.exe
Token: 33	1120	ICXH.exe
Token: SeIncBasePriorityPrivilege	1120	ICXH.exe
Token: 33	3164	ICXH.exe
Token: SeIncBasePriorityPrivilege	3164	ICXH.exe
Token: 33	868	ICXH.exe
Token: SeIncBasePriorityPrivilege	868	ICXH.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3440	Unlocker.exe
3716	csmm.exe
1864	Unlocker.exe
1376	csmm.exe
5116	Unlocker.exe
4856	csmm.exe
1372	Unlocker.exe
4404	csmm.exe
4084	Unlocker.exe
1924	csmm.exe
5072	Unlocker.exe
3580	csmm.exe
1984	Unlocker.exe
2888	csmm.exe
2040	Unlocker.exe
2656	csmm.exe
2616	Unlocker.exe
3576	csmm.exe
5100	Unlocker.exe
4412	csmm.exe
2264	Unlocker.exe
4040	csmm.exe
1088	Unlocker.exe
4872	csmm.exe
4780	Unlocker.exe
2384	csmm.exe
1436	Unlocker.exe
3204	csmm.exe
2652	Unlocker.exe
5088	csmm.exe
3948	Unlocker.exe
1064	csmm.exe
620	Unlocker.exe
4684	csmm.exe
3104	Unlocker.exe
2104	csmm.exe
4036	Unlocker.exe
232	csmm.exe
4420	Unlocker.exe
3456	csmm.exe
4528	Unlocker.exe
3164	csmm.exe
4104	Unlocker.exe
3856	csmm.exe
2104	Unlocker.exe
3348	csmm.exe
3684	Unlocker.exe
2632	csmm.exe
4352	Unlocker.exe
3040	csmm.exe
3460	Unlocker.exe
1180	csmm.exe
4724	Unlocker.exe
1804	csmm.exe
4768	Unlocker.exe
4584	csmm.exe
1964	Unlocker.exe
1468	csmm.exe
3680	Unlocker.exe
3224	csmm.exe
3484	Unlocker.exe
1804	csmm.exe
1084	Unlocker.exe
1892	csmm.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3440	Unlocker.exe
3716	csmm.exe
4312	ICXH.exe
4312	ICXH.exe
1468	csmm.exe
1236	Unlocker.exe
4312	ICXH.exe
4312	ICXH.exe
4312	ICXH.exe
1864	Unlocker.exe
1376	csmm.exe
2616	Unlocker.exe
3332	csmm.exe
5116	Unlocker.exe
4856	csmm.exe
3208	csmm.exe
2144	Unlocker.exe
1372	Unlocker.exe
4404	csmm.exe
3556	csmm.exe
464	Unlocker.exe
1152	ICXH.exe
4084	Unlocker.exe
1152	ICXH.exe
1924	csmm.exe
1448	Unlocker.exe
1152	ICXH.exe
1152	ICXH.exe
1152	ICXH.exe
1964	csmm.exe
5072	Unlocker.exe
3580	csmm.exe
4576	Unlocker.exe
4992	csmm.exe
4280	ICXH.exe
4280	ICXH.exe
1984	Unlocker.exe
4280	ICXH.exe
4280	ICXH.exe
2888	csmm.exe
4280	ICXH.exe
1944	csmm.exe
3672	ICXH.exe
3672	ICXH.exe
2040	Unlocker.exe
3672	ICXH.exe
3672	ICXH.exe
2656	csmm.exe
3672	ICXH.exe
1784	csmm.exe
1428	Unlocker.exe
1120	ICXH.exe
2616	Unlocker.exe
1120	ICXH.exe
3576	csmm.exe
1120	ICXH.exe
1120	ICXH.exe
1120	ICXH.exe
3228	csmm.exe
4856	Unlocker.exe
5100	Unlocker.exe
4412	csmm.exe
4788	csmm.exe
3224	Unlocker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 1080	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	86
PID 4180 wrote to memory of 1080	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	86
PID 4180 wrote to memory of 1080	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	86
PID 4180 wrote to memory of 3440	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	87
PID 4180 wrote to memory of 3440	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	87
PID 4180 wrote to memory of 3440	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	87
PID 4180 wrote to memory of 3864	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	88
PID 4180 wrote to memory of 3864	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	88
PID 4180 wrote to memory of 3864	4180	b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe	88
PID 3440 wrote to memory of 3716	3440	Unlocker.exe	89
PID 3440 wrote to memory of 3716	3440	Unlocker.exe	89
PID 3440 wrote to memory of 3716	3440	Unlocker.exe	89
PID 1080 wrote to memory of 4312	1080	Install.exe	90
PID 1080 wrote to memory of 4312	1080	Install.exe	90
PID 1080 wrote to memory of 4312	1080	Install.exe	90
PID 3864 wrote to memory of 4804	3864	setup_akl.exe	167
PID 3864 wrote to memory of 4804	3864	setup_akl.exe	167
PID 3864 wrote to memory of 4804	3864	setup_akl.exe	167
PID 3864 wrote to memory of 1236	3864	setup_akl.exe	92
PID 3864 wrote to memory of 1236	3864	setup_akl.exe	92
PID 3864 wrote to memory of 1236	3864	setup_akl.exe	92
PID 3864 wrote to memory of 2712	3864	setup_akl.exe	93
PID 3864 wrote to memory of 2712	3864	setup_akl.exe	93
PID 3864 wrote to memory of 2712	3864	setup_akl.exe	93
PID 3716 wrote to memory of 1468	3716	csmm.exe	276
PID 3716 wrote to memory of 1468	3716	csmm.exe	276
PID 3716 wrote to memory of 1468	3716	csmm.exe	276
PID 4804 wrote to memory of 228	4804	Install.exe	95
PID 4804 wrote to memory of 228	4804	Install.exe	95
PID 4804 wrote to memory of 228	4804	Install.exe	95
PID 2712 wrote to memory of 1184	2712	setup_akl.exe	96
PID 2712 wrote to memory of 1184	2712	setup_akl.exe	96
PID 2712 wrote to memory of 1184	2712	setup_akl.exe	96
PID 2712 wrote to memory of 1864	2712	setup_akl.exe	211
PID 2712 wrote to memory of 1864	2712	setup_akl.exe	211
PID 2712 wrote to memory of 1864	2712	setup_akl.exe	211
PID 2712 wrote to memory of 1904	2712	setup_akl.exe	98
PID 2712 wrote to memory of 1904	2712	setup_akl.exe	98
PID 2712 wrote to memory of 1904	2712	setup_akl.exe	98
PID 1864 wrote to memory of 1376	1864	Unlocker.exe	269
PID 1864 wrote to memory of 1376	1864	Unlocker.exe	269
PID 1864 wrote to memory of 1376	1864	Unlocker.exe	269
PID 1184 wrote to memory of 2436	1184	Install.exe	101
PID 1184 wrote to memory of 2436	1184	Install.exe	101
PID 1184 wrote to memory of 2436	1184	Install.exe	101
PID 1904 wrote to memory of 3216	1904	setup_akl.exe	103
PID 1904 wrote to memory of 3216	1904	setup_akl.exe	103
PID 1904 wrote to memory of 3216	1904	setup_akl.exe	103
PID 1904 wrote to memory of 2616	1904	setup_akl.exe	172
PID 1904 wrote to memory of 2616	1904	setup_akl.exe	172
PID 1904 wrote to memory of 2616	1904	setup_akl.exe	172
PID 1904 wrote to memory of 2412	1904	setup_akl.exe	182
PID 1904 wrote to memory of 2412	1904	setup_akl.exe	182
PID 1904 wrote to memory of 2412	1904	setup_akl.exe	182
PID 1376 wrote to memory of 3332	1376	csmm.exe	250
PID 1376 wrote to memory of 3332	1376	csmm.exe	250
PID 1376 wrote to memory of 3332	1376	csmm.exe	250
PID 2412 wrote to memory of 3600	2412	setup_akl.exe	400
PID 2412 wrote to memory of 3600	2412	setup_akl.exe	400
PID 2412 wrote to memory of 3600	2412	setup_akl.exe	400
PID 2412 wrote to memory of 5116	2412	setup_akl.exe	109
PID 2412 wrote to memory of 5116	2412	setup_akl.exe	109
PID 2412 wrote to memory of 5116	2412	setup_akl.exe	109
PID 2412 wrote to memory of 2572	2412	setup_akl.exe	392

C:\Users\Admin\AppData\Local\Temp\b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9fd9883b90c1269e5a3b163c5da1ae9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\Sys32\ICXH.exe
    "C:\Windows\system32\Sys32\ICXH.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 948
      4⤵
      Program crash
      PID:2748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 936
      4⤵
      Program crash
      PID:2716
- C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
  "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\csmm.exe
    C:\Windows\system32\csmm.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Windows\SysWOW64\csmm.exe
      C:\Windows\system32\csmm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1468
- C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\Sys32\ICXH.exe
      "C:\Windows\system32\Sys32\ICXH.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:228
- - C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
    "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
      "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3216
      - C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4988
    - - C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        7⤵
        Executes dropped EXE
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5116
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        8⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        9⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        9⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 920
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        11⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        11⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        10⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5072
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        13⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3580
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        13⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        15⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        15⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        16⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        15⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        16⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        15⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        16⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        17⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        15⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        16⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        17⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 936
        18⤵
        Program crash
        
        PID:3812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 948
        18⤵
        Program crash
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        16⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        16⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        17⤵
        Checks computer location settings
        
        PID:736
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        18⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        18⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3576
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        18⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        19⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        18⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        18⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        19⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        20⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        19⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5100
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        20⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        21⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        19⤵
        Checks computer location settings
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        20⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        21⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        20⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        20⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        21⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        21⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2264
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        22⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:4040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        23⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        21⤵
        Checks computer location settings
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        22⤵
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        23⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        22⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        22⤵
        Checks computer location settings
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        23⤵
        Checks computer location settings
        
        PID:2472
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        24⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 948
        25⤵
        Program crash
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 988
        25⤵
        Program crash
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        23⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1088
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        24⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:4872
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        25⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        23⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        24⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        25⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        24⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        24⤵
        Checks computer location settings
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        25⤵
        Checks computer location settings
        
        PID:3848
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        26⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        25⤵
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:4780
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        26⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2384
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        27⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        25⤵
        Checks computer location settings
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        26⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        27⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        26⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        26⤵
        Checks computer location settings
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        27⤵
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        28⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        27⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:1436
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        28⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:3204
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        29⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        27⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        28⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        29⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        28⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        29⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        30⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 936
        31⤵
        Program crash
        
        PID:3800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 920
        31⤵
        Program crash
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        29⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:2652
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        30⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:5088
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        31⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        29⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        30⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        31⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        30⤵
        Checks computer location settings
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        31⤵
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        32⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        31⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:3948
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        32⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:1064
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        31⤵
        Checks computer location settings
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        32⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        33⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        32⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        33⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        34⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        33⤵
        Suspicious use of FindShellTrayWindow
        
        PID:620
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        34⤵
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4684
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        35⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        33⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        34⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        35⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        34⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        34⤵
        Checks computer location settings
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        35⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        36⤵
        Adds Run key to start application
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        35⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3104
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        36⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:2104
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        37⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        35⤵
        Checks computer location settings
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        36⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        37⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        37⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        38⤵
        
        PID:8944
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        37⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:4036
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        38⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:232
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        39⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        37⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        38⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        39⤵
        
        PID:8984
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        38⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        38⤵
        Checks computer location settings
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        39⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        40⤵
        
        PID:8976
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        39⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:4420
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        40⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:3456
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        39⤵
        Checks computer location settings
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        40⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        41⤵
        
        PID:8968
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        40⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        40⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        41⤵
        
        PID:380
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        42⤵
        
        PID:9088
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        41⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:4528
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        42⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:3164
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        43⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        41⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        42⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        43⤵
        
        PID:9024
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        42⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        42⤵
        Checks computer location settings
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        43⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        44⤵
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        43⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:4104
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        44⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3856
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        45⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        43⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        44⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        45⤵
        
        PID:9080
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        44⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        44⤵
        Checks computer location settings
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        45⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        46⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        45⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:2104
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        46⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3348
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        45⤵
        Checks computer location settings
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        46⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        47⤵
        
        PID:9072
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        46⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3684
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        47⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2632
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        48⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        47⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        48⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        47⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        47⤵
        Checks computer location settings
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        48⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        49⤵
        
        PID:9056
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        48⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:4352
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        49⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:3040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        50⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        48⤵
        Checks computer location settings
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        49⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        50⤵
        
        PID:9136
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        49⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:3460
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        50⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:1180
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        49⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        50⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        51⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        50⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        50⤵
        Checks computer location settings
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        51⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        52⤵
        
        PID:9048
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        51⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:4724
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        52⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:1804
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        53⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        51⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        52⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        53⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        52⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        52⤵
        Checks computer location settings
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        53⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        54⤵
        
        PID:9064
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        53⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:4768
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        54⤵
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:4584
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        53⤵
        Checks computer location settings
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        54⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        55⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        54⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1964
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        55⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:1468
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        54⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        55⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        56⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        55⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        55⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        56⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        57⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        56⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        
        PID:3680
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        57⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3224
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        58⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        56⤵
        Checks computer location settings
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        57⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        58⤵
        
        PID:6976
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        57⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:3484
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        58⤵
        Modifies WinLogon for persistence
        Suspicious use of FindShellTrayWindow
        
        PID:1804
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        57⤵
        Checks computer location settings
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        58⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        59⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        58⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        58⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        59⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        60⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        59⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1084
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        60⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1892
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        61⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        59⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        60⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        61⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        60⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        60⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        61⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        62⤵
        
        PID:9204
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        61⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        62⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        61⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        62⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        63⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        62⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        62⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        63⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        64⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        63⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        65⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        63⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        64⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        65⤵
        
        PID:6328
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        65⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        66⤵
        
        PID:8980
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        65⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        65⤵
        Checks computer location settings
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        66⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        67⤵
        
        PID:9208
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        66⤵
        Modifies WinLogon for persistence
        
        PID:3392
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        67⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        68⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        66⤵
        Checks computer location settings
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        67⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        68⤵
        
        PID:9184
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        67⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        68⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        67⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        68⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        69⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        68⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        68⤵
        Checks computer location settings
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        69⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        70⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        69⤵
        Modifies WinLogon for persistence
        
        PID:1272
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        70⤵
        Modifies WinLogon for persistence
        
        PID:3544
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        70⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        71⤵
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        70⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        71⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        72⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        71⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        72⤵
        
        PID:8952
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        71⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        72⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        73⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        71⤵
        Checks computer location settings
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        72⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        73⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        72⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        73⤵
        Modifies WinLogon for persistence
        
        PID:368
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        72⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        73⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        74⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        73⤵
        Modifies WinLogon for persistence
        
        PID:3392
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        74⤵
        Modifies WinLogon for persistence
        
        PID:4336
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        75⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        73⤵
        Checks computer location settings
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        74⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        75⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        74⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        74⤵
        Checks computer location settings
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        75⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        76⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        75⤵
        Modifies WinLogon for persistence
        
        PID:1948
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        76⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        77⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        75⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        76⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        77⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        76⤵
        Modifies WinLogon for persistence
        
        PID:4360
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        77⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        78⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        76⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        77⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        78⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        77⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        77⤵
        Checks computer location settings
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        78⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        79⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        78⤵
        Modifies WinLogon for persistence
        
        PID:2536
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        79⤵
        Modifies WinLogon for persistence
        
        PID:1084
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        80⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        78⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        79⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        80⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        79⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        80⤵
        Modifies WinLogon for persistence
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        81⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        79⤵
        Checks computer location settings
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        80⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        81⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        80⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        80⤵
        Checks computer location settings
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        81⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        82⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        81⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        82⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        83⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        81⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        82⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        83⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        82⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        82⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        83⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        84⤵
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        83⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        84⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        85⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        83⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        84⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        85⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        84⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        84⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        85⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        86⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        85⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        86⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        87⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        85⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        86⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        87⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        86⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        87⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        88⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        86⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        87⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        88⤵
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        87⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        88⤵
        
        PID:368
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        89⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        87⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        88⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        89⤵
        
        PID:9028
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        88⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        88⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        89⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        90⤵
        
        PID:9104
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        89⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        90⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        91⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        89⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        90⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        91⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        90⤵
        
        PID:960
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        91⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        92⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        90⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        91⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        92⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        91⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        92⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        93⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        91⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        92⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        93⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        92⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        93⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        94⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        92⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        93⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        94⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        93⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        93⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        94⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        95⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        94⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        95⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        96⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        94⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        95⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        96⤵
        
        PID:9072
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        95⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        95⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        96⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        97⤵
        
        PID:9092
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        96⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        97⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        98⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        96⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        97⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        98⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        97⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        98⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        99⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        97⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        98⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        99⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        98⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        98⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        99⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        100⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        99⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        100⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        101⤵
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        99⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        100⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        101⤵
        
        PID:8988
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        100⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        100⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        101⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        102⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        101⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        102⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        103⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        101⤵
        
        PID:6136
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        102⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        103⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        102⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        102⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        103⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        104⤵
        
        PID:8960
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        103⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        104⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        105⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        103⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        104⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        105⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        104⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        104⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        105⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        106⤵
        
        PID:7024
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        105⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        106⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        107⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        105⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        106⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        107⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        106⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        106⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        107⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        108⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        107⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        108⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        109⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        107⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        108⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        109⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        108⤵
        
        PID:5892
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        108⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        109⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        110⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        109⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        110⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        111⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        109⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        110⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        111⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        110⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        111⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        112⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        110⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        111⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        112⤵
        
        PID:7576
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        111⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        111⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        112⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        113⤵
        
        PID:9048
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        112⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        113⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        114⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        112⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        113⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        114⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        113⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        114⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        115⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        113⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        114⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        115⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        114⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        114⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        115⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        116⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        115⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        116⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        117⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        115⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        116⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        117⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        116⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        116⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        117⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        118⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        117⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        118⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        119⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        117⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        118⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        119⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        118⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        119⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        120⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        118⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        119⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        120⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        119⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        119⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        120⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        121⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        120⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        121⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        122⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        120⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        121⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        122⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        121⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        121⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        122⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        123⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        122⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        123⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        124⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        122⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        123⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        124⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        123⤵
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        123⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        124⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        125⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        124⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        125⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        126⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        124⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        125⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        126⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        125⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        125⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        126⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        127⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        126⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        127⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        128⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        126⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        127⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        128⤵
        
        PID:7504
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        127⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        127⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        128⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        129⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        128⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        129⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        130⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        128⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        129⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        130⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        129⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        130⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        131⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        129⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        130⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        131⤵
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        130⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        130⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        131⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        132⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        131⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        132⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        133⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        131⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        132⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        133⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        132⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        132⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        133⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        134⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        133⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        134⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        135⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        133⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        134⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        135⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        134⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        134⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        135⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        136⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        135⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        136⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        137⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        135⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        136⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        137⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        136⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        136⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        137⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        138⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        137⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        138⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        139⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        137⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        138⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        139⤵
        
        PID:9124
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        138⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        139⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        140⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        138⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        139⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        140⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        139⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        139⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        140⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        141⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        140⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        141⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        142⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        140⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        141⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        142⤵
        
        PID:9008
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        141⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        141⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        142⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        143⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        142⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        143⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        144⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        142⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        143⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        144⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        143⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        143⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        144⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        145⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        144⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        145⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        146⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        144⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        145⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        146⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        145⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        145⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        146⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        147⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        146⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        147⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        148⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        146⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        147⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        148⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        147⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        148⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        149⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        147⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        148⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        149⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        148⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        149⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        150⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        148⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        149⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        150⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        149⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        150⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        151⤵
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        149⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        150⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        151⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        150⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        151⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        152⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        150⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        151⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        152⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        151⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        151⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        152⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        153⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        152⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        153⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        154⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        152⤵
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        153⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        154⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        153⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        153⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        154⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        155⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 904
        156⤵
        Program crash
        
        PID:8004
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        154⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        155⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        156⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        154⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        155⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        156⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        155⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        155⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        156⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        157⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        156⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        157⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        158⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        156⤵
        
        PID:6256
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        157⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        158⤵
        
        PID:8276
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        157⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        157⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        158⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        159⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        158⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        159⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        160⤵
        
        PID:6208
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        158⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        159⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        160⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8304 -s 912
        161⤵
        Program crash
        
        PID:7468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8304 -s 920
        161⤵
        Program crash
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        159⤵
        
        PID:7428
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        159⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        160⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        161⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        160⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        161⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        162⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        160⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        161⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        162⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        161⤵
        
        PID:8264
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        161⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        162⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        163⤵
        
        PID:8212
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        162⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        163⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        164⤵
        
        PID:9144
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        162⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        163⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        164⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        163⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        163⤵
        
        PID:8296
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        164⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        165⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        164⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        165⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        166⤵
        
        PID:8204
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        164⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        165⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        166⤵
        
        PID:8576
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        165⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        165⤵
        
        PID:8900
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        166⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        167⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 796
        168⤵
        Program crash
        
        PID:5476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 796
        168⤵
        Program crash
        
        PID:8052
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        166⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        167⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        168⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        166⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        167⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        168⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        167⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        167⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        168⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        169⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        168⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        169⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        170⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        168⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        169⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        170⤵
        
        PID:9048
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        169⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        169⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        170⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        171⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        170⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        171⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        172⤵
        
        PID:8932
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        170⤵
        
        PID:8328
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        171⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        172⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        171⤵
        
        PID:8484
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        171⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        172⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        173⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        172⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        173⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        174⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        172⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        173⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Sys32\ICXH.exe
        
        "C:\Windows\system32\Sys32\ICXH.exe"
        174⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        173⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        173⤵
        
        PID:9000
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        174⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        174⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        175⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        176⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        174⤵
        
        PID:8492
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        175⤵
        
        PID:8656
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        175⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        175⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        176⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        176⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        177⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        178⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        176⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        177⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        177⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        178⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        179⤵
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        177⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        178⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        178⤵
        
        PID:9012
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        178⤵
        
        PID:7068
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        179⤵
        
        PID:9168
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        179⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        180⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        181⤵
        
        PID:9196
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        179⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        180⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        180⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        181⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        182⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        180⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        181⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        181⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        182⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        183⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        181⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        182⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        182⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        183⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        184⤵
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        182⤵
        
        PID:6932
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        183⤵
        
        PID:9024
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        183⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        184⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        185⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        183⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        184⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        184⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        185⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        186⤵
        
        PID:8244
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        184⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        185⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        185⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        185⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        186⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        186⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        187⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        188⤵
        
        PID:9084
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        186⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        187⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        187⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        188⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        189⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        187⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        188⤵
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        188⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        189⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        190⤵
        
        PID:7444
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        188⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        189⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        189⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        190⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        191⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        189⤵
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        190⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        190⤵
        
        PID:8392
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        190⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        191⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        191⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        192⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        193⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        191⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        192⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        192⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        193⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        194⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        192⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        193⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        193⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        193⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        194⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        194⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        195⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        196⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        194⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        195⤵
        
        PID:8296
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        195⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        195⤵
        
        PID:8436
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        196⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        196⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        197⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        198⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        196⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\Install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        197⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Unlocker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"
        197⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\csmm.exe
        
        C:\Windows\system32\csmm.exe
        198⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
        197⤵
        
        PID:6704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4312 -ip 4312
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4312 -ip 4312
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1152 -ip 1152
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1120 -ip 1120
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1120 -ip 1120
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3164 -ip 3164
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3164 -ip 3164
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 868 -ip 868
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 868 -ip 868
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7800 -ip 7800
1⤵
PID:9056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 8304 -ip 8304
1⤵
PID:8064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 8304 -ip 8304
1⤵
PID:6376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5220 -ip 5220
1⤵
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5220 -ip 5220
1⤵
PID:8312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@6987.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
C:\Users\Admin\AppData\Local\Temp\@6D22.tmp

Filesize
883KB

MD5
ab82ed64c95b3f60dbaa8f8b7c99e493

SHA1
a6c714238ba136210b08266370b5ebb685e25bd1

SHA256
2f2e41bcf7a3b90c3336fef27d226d10ae32410a943794f694ca583554b1e360

SHA512
91fa7fa2c7211a3357700e8749e5ea5ddd06a364d7c6b63047fb126ff71bc07b8bb674c289b09c926b0b2c609b4410c15acdfd548e0db0e54659312375041394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
480KB

MD5
e33368d0f5f45a64d7252595ae31e62a

SHA1
0bc7d95bb41f6f53afca4ceb8eaf8adbde5bccda

SHA256
069f18745b07b06046157fd68c3eefc1edda9c29a7f078b594cf102f51b6168c

SHA512
5f7596ecc4b9e35844909cf7843e7838e7cc7e97310215c8ae30c16568f26ec058a7419144a7b0cfdb712009372b846662a098a38f01f21d8e469824662eaaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Unlocker.exe

Filesize
41KB

MD5
460f39e8eace24e8b454a11ab8c12f04

SHA1
b8e3d1a34dba0b79a943e3337d62354c4d5745b0

SHA256
80c7be9f2c88b5609d4784af951b470c9fcbaa1f665ac364d2040181fa2b2eae

SHA512
d485dd360cac57c6b02d7ff99d2768be4f43d7433c053e073d74121a86ba6805712d3a187963bb8aea048dddde233c84091f68283e8fb22dbd281869c01be23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_akl.exe

Filesize
1.4MB

MD5
5e7c6347cf2b6f288aa9df498b2c59fd

SHA1
5cd660eab61c5ab020f860f1f93b6c81ad1c9b03

SHA256
1be6fa8e86cd73eae85bf4d687ff83750d6373b40927f5b033bd36ff2338cd6b

SHA512
f189a4cbb58ddc888b2446ab1db26a93330548d83365236df24aa015f1d00411850e33add0d9498d8fea9b38d29db7c1b0ced727132c5ea2c6553b896940d013

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
391KB

MD5
869461e168a87283a8782e70f5d5a3a8

SHA1
ab189b5f2682ae66162226b4f646b1e80486c653

SHA256
992cb5ea845b2d24c02f4e40873bf4ebd7b58b57ae2e001907228af4879e575b

SHA512
e4e77e07eb0ef2adb6d5ebdb9629f4632c417cf3d1a22e4c414b806bfbd259df13f6c88265f9346ed2b22bf67eb3d63924d86767c8508be4abdc9067f15a82ae

Download Submit
C:\Windows\SysWOW64\Sys32\ICXH.001

Filesize
392B

MD5
868deb7dab6539d8b3c540eadeb43b7d

SHA1
bb5488cad80269de199a1151115bd2e768a5bc60

SHA256
3efeeb8fd45cdf87c21c1f71805b36be0ccc2a08ae94e339a91a72dc5bd5a22e

SHA512
04ae38e942b0c8d82291925364a82f26c2ca738d3745871d8d98a1f52909aa2537f7fc49c291731d3b38e9d762d22f89f20c61634754ce978cdbfbe8e20cad18

Download Submit
C:\Windows\SysWOW64\Sys32\ICXH.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
C:\Windows\SysWOW64\Sys32\ICXH.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
C:\Windows\SysWOW64\Sys32\ICXH.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
C:\Windows\SysWOW64\csmm.exe

Filesize
41KB

MD5
db78fc437ec12cf858aee485e92a2988

SHA1
f2641c87ebfa1dd3bb137b3010f9d3e5e8f7f028

SHA256
709ca0c2fec64cb2ac5edd43622e673039fea2ce23591d9a4b00350acb42eff1

SHA512
f7917e65017ac77fe9195427bff0c2529e6bf2c48b0176771d82c7d1dbe0dbb2856c8f09f46d7670efb989fa72686485b352a60243798ef7510bfcdeb74b1184

Download Submit
memory/404-375-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/404-396-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/412-646-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/412-636-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/628-356-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/628-335-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1168-681-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1212-604-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1212-617-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1300-744-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1300-731-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1448-682-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1448-690-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1468-426-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1488-500-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1488-520-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1780-647-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1780-660-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1832-364-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1832-354-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1892-661-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1892-668-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1904-117-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/1904-98-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2120-757-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2120-572-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2120-555-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2128-213-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2128-181-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2396-243-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2396-223-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2412-114-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2412-138-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2420-521-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2420-543-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2476-764-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2536-412-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2536-428-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2572-137-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2572-156-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2612-576-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2612-570-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2656-580-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2656-606-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2712-100-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2712-73-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2816-257-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2904-484-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2904-474-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2904-284-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2904-271-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2976-711-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/2976-702-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3128-615-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3128-638-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3164-779-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3164-795-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3208-272-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3208-253-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3332-554-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3332-542-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3456-505-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3488-730-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3580-860-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3680-459-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3680-449-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3708-227-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3708-211-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3852-799-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3852-724-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3852-814-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3864-75-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3864-34-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/3864-969-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4180-37-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/4180-0-0x0000000000400000-0x0000000000606000-memory.dmp

Filesize
2.0MB

Download
memory/4324-790-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4504-688-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4504-704-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4528-285-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4528-308-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4536-321-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4536-306-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4576-812-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4576-821-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4716-393-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4716-414-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4724-190-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4780-479-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4780-374-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4804-322-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4804-338-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4812-836-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4812-849-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4932-822-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4932-835-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/5012-457-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/5012-478-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/5100-778-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/5100-767-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads