hawkeye | a524b24270992d676b525fe1b717ceffa34cf0653c9984024198f5da44e952ee

Analysis

max time kernel
150s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exe
Size

99KB
MD5

cc04763f7fd3d1b969fbb27ac9e8fd9b
SHA1

84186e9ef9a714ba212aebd28e6f9e1f4d3abff0
SHA256

a524b24270992d676b525fe1b717ceffa34cf0653c9984024198f5da44e952ee
SHA512

be79f98a183c0769ad2211b5f6571d9430bf491d7e9db7dd59e78f5510cbc414d047a221f667230ae8464311dc6f6f946ce51f9078d93b365fa482499ba18a66
SSDEEP

3072:iljvybGUlB8/Pwx5AYAzGt5N1UcAjxd7:il+QxlzG1mr

Score

10^/10

hawkeye xtremerat discovery keylogger persistence ransomware rat spyware stealer trojan upx

Malware Config

Signatures

Detect XtremeRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4528-28-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4528-27-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/692-41-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/692-40-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Renames multiple (258) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exeexplorer.exeaudiadg.exewmiapsvrd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	audiadg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	wmiapsvrd.exe

Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

3500 explorer.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeaudiadg.exewmiapsvrd.exewmiapsvrd.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exe

pid	process
3500	explorer.exe
4528	explorer.exe
4908	audiadg.exe
400	wmiapsvrd.exe
692	wmiapsvrd.exe
732	audiadg.exe
364	audiadg.exe
1192	audiadg.exe
2012	audiadg.exe
4132	audiadg.exe
1440	audiadg.exe
1644	audiadg.exe
3608	audiadg.exe
3320	audiadg.exe
3784	audiadg.exe
1436	audiadg.exe
4264	audiadg.exe
1904	audiadg.exe
968	audiadg.exe
232	audiadg.exe
2188	audiadg.exe
4420	audiadg.exe
4336	audiadg.exe
652	audiadg.exe
3720	audiadg.exe
5088	audiadg.exe
1212	audiadg.exe
2988	audiadg.exe
1840	audiadg.exe
364	audiadg.exe
812	audiadg.exe
4016	audiadg.exe
3240	audiadg.exe
976	audiadg.exe
2328	audiadg.exe
1640	audiadg.exe
964	audiadg.exe
5104	audiadg.exe
3320	audiadg.exe
4160	audiadg.exe
5116	audiadg.exe
4084	audiadg.exe
4032	audiadg.exe
1964	audiadg.exe
4700	audiadg.exe
4388	audiadg.exe
2512	audiadg.exe
5092	audiadg.exe
3176	audiadg.exe
3088	audiadg.exe
3608	audiadg.exe
3172	audiadg.exe
2104	audiadg.exe
4684	audiadg.exe
1352	audiadg.exe
2904	audiadg.exe
2752	audiadg.exe
4192	audiadg.exe
1600	audiadg.exe
2648	audiadg.exe
2188	audiadg.exe
928	audiadg.exe
1188	audiadg.exe
2072	audiadg.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4528-23-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4528-26-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4528-28-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4528-27-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/692-41-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/692-40-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/692-39-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exewmiapsvrd.exe

description	pid	process	target process
PID 3500 set thread context of 4528	3500	explorer.exe	explorer.exe
PID 400 set thread context of 692	400	wmiapsvrd.exe	wmiapsvrd.exe

Drops file in Windows directory 2 IoCs

Processes:

dw20.exedw20.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

audiadg.exedw20.exedw20.exeaudiadg.exeaudiadg.exeaudiadg.exedw20.exeaudiadg.exeaudiadg.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exedw20.exedw20.exedw20.exeaudiadg.exedw20.exeaudiadg.exeaudiadg.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exeaudiadg.exedw20.exedw20.exedw20.exeaudiadg.exedw20.exedw20.exedw20.exeaudiadg.exeaudiadg.exeaudiadg.exedw20.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exedw20.exeaudiadg.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exeaudiadg.exeaudiadg.exedw20.exeaudiadg.exeaudiadg.exedw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiadg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeaudiadg.exewmiapsvrd.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exe

pid	process
3500	explorer.exe
4908	audiadg.exe
400	wmiapsvrd.exe
3500	explorer.exe
732	audiadg.exe
400	wmiapsvrd.exe
364	audiadg.exe
364	audiadg.exe
3500	explorer.exe
1192	audiadg.exe
1192	audiadg.exe
400	wmiapsvrd.exe
2012	audiadg.exe
2012	audiadg.exe
3500	explorer.exe
4132	audiadg.exe
400	wmiapsvrd.exe
1440	audiadg.exe
3500	explorer.exe
1644	audiadg.exe
400	wmiapsvrd.exe
3608	audiadg.exe
3500	explorer.exe
3320	audiadg.exe
400	wmiapsvrd.exe
3784	audiadg.exe
3500	explorer.exe
1436	audiadg.exe
400	wmiapsvrd.exe
4264	audiadg.exe
3500	explorer.exe
1904	audiadg.exe
1904	audiadg.exe
400	wmiapsvrd.exe
968	audiadg.exe
968	audiadg.exe
3500	explorer.exe
232	audiadg.exe
232	audiadg.exe
400	wmiapsvrd.exe
2188	audiadg.exe
2188	audiadg.exe
3500	explorer.exe
4420	audiadg.exe
400	wmiapsvrd.exe
4336	audiadg.exe
4336	audiadg.exe
3500	explorer.exe
652	audiadg.exe
400	wmiapsvrd.exe
3720	audiadg.exe
3500	explorer.exe
5088	audiadg.exe
400	wmiapsvrd.exe
3500	explorer.exe
1212	audiadg.exe
400	wmiapsvrd.exe
2988	audiadg.exe
3500	explorer.exe
1840	audiadg.exe
400	wmiapsvrd.exe
364	audiadg.exe
3500	explorer.exe
812	audiadg.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exewmiapsvrd.exe

pid process

3500 explorer.exe
400 wmiapsvrd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exeexplorer.exeaudiadg.exedw20.exewmiapsvrd.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exeaudiadg.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	396	cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exe
Token: SeDebugPrivilege	3500	explorer.exe
Token: SeDebugPrivilege	4908	audiadg.exe
Token: SeRestorePrivilege	3268	dw20.exe
Token: SeBackupPrivilege	3268	dw20.exe
Token: SeBackupPrivilege	3268	dw20.exe
Token: SeBackupPrivilege	3268	dw20.exe
Token: SeDebugPrivilege	400	wmiapsvrd.exe
Token: SeDebugPrivilege	732	audiadg.exe
Token: SeBackupPrivilege	4196	dw20.exe
Token: SeBackupPrivilege	4196	dw20.exe
Token: SeDebugPrivilege	364	audiadg.exe
Token: SeBackupPrivilege	776	dw20.exe
Token: SeBackupPrivilege	776	dw20.exe
Token: SeDebugPrivilege	1192	audiadg.exe
Token: SeBackupPrivilege	4708	dw20.exe
Token: SeBackupPrivilege	4708	dw20.exe
Token: SeDebugPrivilege	2012	audiadg.exe
Token: SeBackupPrivilege	812	dw20.exe
Token: SeBackupPrivilege	812	dw20.exe
Token: SeDebugPrivilege	4132	audiadg.exe
Token: SeBackupPrivilege	3396	dw20.exe
Token: SeBackupPrivilege	3396	dw20.exe
Token: SeDebugPrivilege	1440	audiadg.exe
Token: SeBackupPrivilege	4440	dw20.exe
Token: SeBackupPrivilege	4440	dw20.exe
Token: SeDebugPrivilege	1644	audiadg.exe
Token: SeBackupPrivilege	2164	dw20.exe
Token: SeBackupPrivilege	2164	dw20.exe
Token: SeDebugPrivilege	3608	audiadg.exe
Token: SeBackupPrivilege	3248	dw20.exe
Token: SeBackupPrivilege	3248	dw20.exe
Token: SeDebugPrivilege	3320	audiadg.exe
Token: SeBackupPrivilege	4664	dw20.exe
Token: SeBackupPrivilege	4664	dw20.exe
Token: SeDebugPrivilege	3784	audiadg.exe
Token: SeBackupPrivilege	1488	dw20.exe
Token: SeBackupPrivilege	1488	dw20.exe
Token: SeDebugPrivilege	1436	audiadg.exe
Token: SeBackupPrivilege	4240	dw20.exe
Token: SeBackupPrivilege	4240	dw20.exe
Token: SeDebugPrivilege	4264	audiadg.exe
Token: SeBackupPrivilege	3252	dw20.exe
Token: SeBackupPrivilege	3252	dw20.exe
Token: SeDebugPrivilege	1904	audiadg.exe
Token: SeBackupPrivilege	4516	dw20.exe
Token: SeBackupPrivilege	4516	dw20.exe
Token: SeDebugPrivilege	968	audiadg.exe
Token: SeBackupPrivilege	2256	dw20.exe
Token: SeBackupPrivilege	2256	dw20.exe
Token: SeDebugPrivilege	232	audiadg.exe
Token: SeBackupPrivilege	3256	dw20.exe
Token: SeBackupPrivilege	3256	dw20.exe
Token: SeDebugPrivilege	2188	audiadg.exe
Token: SeBackupPrivilege	4424	dw20.exe
Token: SeBackupPrivilege	4424	dw20.exe
Token: SeDebugPrivilege	4420	audiadg.exe
Token: SeBackupPrivilege	2804	dw20.exe
Token: SeBackupPrivilege	2804	dw20.exe
Token: SeDebugPrivilege	4336	audiadg.exe
Token: SeBackupPrivilege	4640	dw20.exe
Token: SeBackupPrivilege	4640	dw20.exe
Token: SeDebugPrivilege	652	audiadg.exe
Token: SeBackupPrivilege	964	dw20.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exeexplorer.exeexplorer.exeaudiadg.exewmiapsvrd.exewmiapsvrd.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exeaudiadg.exe

description	pid	process	target process
PID 396 wrote to memory of 3500	396	cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exe	explorer.exe
PID 396 wrote to memory of 3500	396	cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exe	explorer.exe
PID 396 wrote to memory of 3500	396	cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exe	explorer.exe
PID 3500 wrote to memory of 4528	3500	explorer.exe	explorer.exe
PID 3500 wrote to memory of 4528	3500	explorer.exe	explorer.exe
PID 3500 wrote to memory of 4528	3500	explorer.exe	explorer.exe
PID 3500 wrote to memory of 4528	3500	explorer.exe	explorer.exe
PID 3500 wrote to memory of 4528	3500	explorer.exe	explorer.exe
PID 3500 wrote to memory of 4528	3500	explorer.exe	explorer.exe
PID 3500 wrote to memory of 4528	3500	explorer.exe	explorer.exe
PID 3500 wrote to memory of 4528	3500	explorer.exe	explorer.exe
PID 4528 wrote to memory of 4660	4528	explorer.exe	msedge.exe
PID 4528 wrote to memory of 4660	4528	explorer.exe	msedge.exe
PID 4528 wrote to memory of 4660	4528	explorer.exe	msedge.exe
PID 3500 wrote to memory of 4908	3500	explorer.exe	audiadg.exe
PID 3500 wrote to memory of 4908	3500	explorer.exe	audiadg.exe
PID 3500 wrote to memory of 4908	3500	explorer.exe	audiadg.exe
PID 4908 wrote to memory of 3268	4908	audiadg.exe	dw20.exe
PID 4908 wrote to memory of 3268	4908	audiadg.exe	dw20.exe
PID 4908 wrote to memory of 3268	4908	audiadg.exe	dw20.exe
PID 4908 wrote to memory of 400	4908	audiadg.exe	wmiapsvrd.exe
PID 4908 wrote to memory of 400	4908	audiadg.exe	wmiapsvrd.exe
PID 4908 wrote to memory of 400	4908	audiadg.exe	wmiapsvrd.exe
PID 400 wrote to memory of 692	400	wmiapsvrd.exe	wmiapsvrd.exe
PID 400 wrote to memory of 692	400	wmiapsvrd.exe	wmiapsvrd.exe
PID 400 wrote to memory of 692	400	wmiapsvrd.exe	wmiapsvrd.exe
PID 400 wrote to memory of 692	400	wmiapsvrd.exe	wmiapsvrd.exe
PID 400 wrote to memory of 692	400	wmiapsvrd.exe	wmiapsvrd.exe
PID 400 wrote to memory of 692	400	wmiapsvrd.exe	wmiapsvrd.exe
PID 400 wrote to memory of 692	400	wmiapsvrd.exe	wmiapsvrd.exe
PID 400 wrote to memory of 692	400	wmiapsvrd.exe	wmiapsvrd.exe
PID 692 wrote to memory of 3144	692	wmiapsvrd.exe	msedge.exe
PID 692 wrote to memory of 3144	692	wmiapsvrd.exe	msedge.exe
PID 692 wrote to memory of 3144	692	wmiapsvrd.exe	msedge.exe
PID 3500 wrote to memory of 732	3500	explorer.exe	audiadg.exe
PID 3500 wrote to memory of 732	3500	explorer.exe	audiadg.exe
PID 3500 wrote to memory of 732	3500	explorer.exe	audiadg.exe
PID 732 wrote to memory of 4196	732	audiadg.exe	dw20.exe
PID 732 wrote to memory of 4196	732	audiadg.exe	dw20.exe
PID 732 wrote to memory of 4196	732	audiadg.exe	dw20.exe
PID 400 wrote to memory of 364	400	wmiapsvrd.exe	audiadg.exe
PID 400 wrote to memory of 364	400	wmiapsvrd.exe	audiadg.exe
PID 400 wrote to memory of 364	400	wmiapsvrd.exe	audiadg.exe
PID 364 wrote to memory of 776	364	audiadg.exe	dw20.exe
PID 364 wrote to memory of 776	364	audiadg.exe	dw20.exe
PID 364 wrote to memory of 776	364	audiadg.exe	dw20.exe
PID 3500 wrote to memory of 1192	3500	explorer.exe	audiadg.exe
PID 3500 wrote to memory of 1192	3500	explorer.exe	audiadg.exe
PID 3500 wrote to memory of 1192	3500	explorer.exe	audiadg.exe
PID 1192 wrote to memory of 4708	1192	audiadg.exe	dw20.exe
PID 1192 wrote to memory of 4708	1192	audiadg.exe	dw20.exe
PID 1192 wrote to memory of 4708	1192	audiadg.exe	dw20.exe
PID 400 wrote to memory of 2012	400	wmiapsvrd.exe	audiadg.exe
PID 400 wrote to memory of 2012	400	wmiapsvrd.exe	audiadg.exe
PID 400 wrote to memory of 2012	400	wmiapsvrd.exe	audiadg.exe
PID 2012 wrote to memory of 812	2012	audiadg.exe	dw20.exe
PID 2012 wrote to memory of 812	2012	audiadg.exe	dw20.exe
PID 2012 wrote to memory of 812	2012	audiadg.exe	dw20.exe
PID 3500 wrote to memory of 4132	3500	explorer.exe	audiadg.exe
PID 3500 wrote to memory of 4132	3500	explorer.exe	audiadg.exe
PID 3500 wrote to memory of 4132	3500	explorer.exe	audiadg.exe
PID 4132 wrote to memory of 3396	4132	audiadg.exe	dw20.exe
PID 4132 wrote to memory of 3396	4132	audiadg.exe	dw20.exe
PID 4132 wrote to memory of 3396	4132	audiadg.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc04763f7fd3d1b969fbb27ac9e8fd9b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4660
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 920
      4⤵
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe
      "C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe
        
        C:\Users\Admin\AppData\Local\Temp\System\wmiapsvrd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3144
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:364
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3248
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 896
        6⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3720
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3608
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:364
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:4016
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:976
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:1640
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4584
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:5104
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2200
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:4160
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:4084
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:1964
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:4388
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        
        PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:5092
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        
        PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:3088
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:1600
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:2188
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        Executes dropped EXE
        
        PID:2072
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4276
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4344
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2652
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2340
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        
        PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2676
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:388
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4092
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4644
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4368
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        Checks processor information in registry
        
        PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2256
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1760
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        
        PID:364
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2696
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        Checks processor information in registry
        
        PID:232
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1720
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4500
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:3152
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2072
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        Enumerates system info in registry
        
        PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3612
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3588
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4720
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4208
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        
        PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:232
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2752
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4384
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:3348
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3432
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        
        PID:520
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3312
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3612
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:5040
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2816
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        
        PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2016
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4496
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3256
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2596
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:744
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:436
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 900
        6⤵
        
        PID:1496
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3268
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4664
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:5076
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        
        PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4668
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:1856
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4712
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        
        PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:996
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        
        PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4352
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:736
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3952
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Drops file in Windows directory
        
        PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3196
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4128
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 896
        6⤵
        
        PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3580
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        
        PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1788
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        
        PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1376
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        Checks processor information in registry
        
        PID:3312
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4620
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:3968
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4328
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        Checks processor information in registry
        
        PID:4508
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1192
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        
        PID:3736
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1844
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4048
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2916
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 900
        6⤵
        
        PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4480
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        
        PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3312
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4208
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2564
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4620
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2056
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1220
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        Enumerates system info in registry
        
        PID:1188
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3200
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3868
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        
        PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1568
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:224
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 896
        6⤵
        
        PID:4324
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1844
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        
        PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1876
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:532
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Checks processor information in registry
        
        PID:1848
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1452
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3204
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3096
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3516
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:996
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        Checks processor information in registry
        
        PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        Enumerates system info in registry
        
        PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2056
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        
        PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1000
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        
        PID:964
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2700
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 904
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1952
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:232
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4440
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        
        PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1552
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:912
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4080
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4612
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4412
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4516
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4132
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        
        PID:2960
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2292
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2256
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:3572
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:908
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        Enumerates system info in registry
        
        PID:996
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1888
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 888
        6⤵
        
        PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1720
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1652
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 908
        6⤵
        
        PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4132
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:448
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:2508
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4404
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 896
        6⤵
        
        PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2204
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:180
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:4540
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        
        PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2220
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        Enumerates system info in registry
        
        PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:2228
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:1856
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 892
        6⤵
        Checks processor information in registry
        
        PID:3488
    - - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
        5⤵
        
        PID:736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 884
        6⤵
        
        PID:4328
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4196
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4708
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3396
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2164
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4664
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4240
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4516
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:232
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3256
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2804
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:964
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      PID:4760
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1212
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:2316
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:812
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1492
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3240
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:5012
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:2328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      System Location Discovery: System Language Discovery
      PID:2596
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      Checks processor information in registry
      PID:2188
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:3268
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:5116
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:1020
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:4032
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2216
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:4700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3584
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:2512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:2804
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:3176
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3472
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:3608
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2208
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:3172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:1156
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4080
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:4684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:2116
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:1352
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:1840
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:2024
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:2752
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:968
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4192
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:2648
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:436
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    PID:928
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      System Location Discovery: System Language Discovery
      PID:4760
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1188
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3720
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3312
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:2988
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4516
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2924
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3516
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:4456
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:2200
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:4128
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:3172
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      Checks processor information in registry
      PID:744
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2024
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:1848
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4072
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:388
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1644
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2240
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      System Location Discovery: System Language Discovery
      PID:4768
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2316
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:2864
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:3104
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:764
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:3540
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:4880
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3736
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:3232
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4760
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2344
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:1748
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2364
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:744
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:2624
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3552
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:4068
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2988
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      Checks processor information in registry
      PID:2072
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:5004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1276
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:4972
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:5012
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      PID:4832
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:3916
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4848
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3752
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:2016
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1376
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 896
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:2508
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:876
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:4516
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:5004
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      PID:4572
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3532
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      Enumerates system info in registry
      PID:232
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Drops file in Windows directory
      PID:5088
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4092
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:4768
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      Enumerates system info in registry
      PID:4176
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1748
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1948
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1852
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3304
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      PID:4964
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1044
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      Enumerates system info in registry
      PID:4448
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      Enumerates system info in registry
      PID:4832
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:3088
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4664
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:2124
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3092
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      Checks processor information in registry
      PID:4220
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1076
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2644
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1788
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      Checks processor information in registry
      PID:4180
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2216
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:812
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1304
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 900
      4⤵
      PID:2456
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4648
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:4264
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3700
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1784
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4192
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3176
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4740
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:4848
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1000
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:3184
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:4912
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4572
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3312
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2696
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2208
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:5008
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4832
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:4756
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      System Location Discovery: System Language Discovery
      PID:5104
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:5032
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 888
      4⤵
      Checks processor information in registry
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3560
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:4032
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3152
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1452
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:5100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:4420
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      PID:1616
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      Enumerates system info in registry
      PID:744
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:3716
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:1724
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2736
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:2268
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2184
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:3152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      PID:4648
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:3488
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 896
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1020
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:1040
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3784
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:4444
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 904
      4⤵
      System Location Discovery: System Language Discovery
      PID:4348
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:4308
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3280
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2116
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:2996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 896
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:100
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:652
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1548
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Enumerates system info in registry
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1596
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 892
      4⤵
      System Location Discovery: System Language Discovery
      PID:4388
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      Checks processor information in registry
      PID:724
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:4884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3584
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:3088
- - C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe
    "C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe"
    3⤵
    PID:1212
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 884
      4⤵
      PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
84B

MD5
c35c9219a708c8e6dbe89049f200ceaf

SHA1
2ab9b516c2216c6c1bc3cbad9b78fdfa29500535

SHA256
1e92675fcc3916c463d8097d0473bae8957fe405da0c8ba09741907253e71a0f

SHA512
fd8213d5e9998de109c4082823504a0c01a57d75d202ffc8f4682623967735a5f4c6e688a340a32c3ecd0b5bb8cb7142fe9671d30bf9568f781cb9e2e129c141

Download Submit
C:\Users\Admin\AppData\Local\Temp\System\audiadg.exe

Filesize
22KB

MD5
4a109a3a9a6d16c91df0c9cb7fc13387

SHA1
1b97703369e22ba433b7b817f9eeed3431ebd2e9

SHA256
646e9448a3498be89f3053003b334a6e933134444cee32c6fa8be47fd477dc8e

SHA512
616c9adaeccf6f738401a4e2a45ecf14c1baa40aecf6ef3a89d32ec82c4cfd05f3964b80fdb470d94deb3b7fb4a1f3832427e6e2dccf997594d15a5e6cb97655

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
99KB

MD5
cc04763f7fd3d1b969fbb27ac9e8fd9b

SHA1
84186e9ef9a714ba212aebd28e6f9e1f4d3abff0

SHA256
a524b24270992d676b525fe1b717ceffa34cf0653c9984024198f5da44e952ee

SHA512
be79f98a183c0769ad2211b5f6571d9430bf491d7e9db7dd59e78f5510cbc414d047a221f667230ae8464311dc6f6f946ce51f9078d93b365fa482499ba18a66

Download Submit
memory/396-1-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/396-2-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/396-0-0x0000000074B12000-0x0000000074B13000-memory.dmp

Filesize
4KB

Download
memory/396-17-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/692-41-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/692-39-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/692-40-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/3500-18-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3500-19-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/3500-145-0x0000000074B10000-0x00000000750C1000-memory.dmp

Filesize
5.7MB

Download
memory/4528-28-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4528-27-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4528-26-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4528-23-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download