ardamax | fb102d0ad83ccb3255a19efd0176199339e49a9bf87766e7b36cd6e2dd54f309

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e57f267250cc56b48dc1db078304b97_JaffaCakes118.exe
Size

1.0MB
MD5

2e57f267250cc56b48dc1db078304b97
SHA1

6f306ff630cc4955127851ca37d0adbde9c39bc3
SHA256

fb102d0ad83ccb3255a19efd0176199339e49a9bf87766e7b36cd6e2dd54f309
SHA512

722d21e4d920838f8c9bed2c8639ccbefab3baadae3f08044bfeee04b691b58a385725717cd126238891fd25935fa323b07658e4c942e24fb835f51c4890ab6d
SSDEEP

24576:yQ4juzSIa1E68m1AXumQ6ImmgM9NaFwkd/waOgd+5p4ZwxmHA5yqH2YoH0v:yF8Dm1AXvzIMMCR9eEWTgKoH

Score

10^/10

ardamax bootkit credential_access discovery keylogger persistence spyware stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c54-23.dat	family_ardamax

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2e57f267250cc56b48dc1db078304b97_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	keygen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 31 IoCs

pid	Process
3088	Install.exe
428	HCUA.exe
4868	keygen.exe
1048	Server.exe
1200	keygen.exe
3800	Server.exe
3268	keygen.exe
764	Server.exe
1552	keygen.exe
1916	Server.exe
1420	keygen.exe
4576	Server.exe
4568	keygen.exe
1936	Server.exe
1012	Server.exe
2904	Server.exe
3224	keygen.exe
4540	Server.exe
4204	keygen.exe
2560	Server.exe
4200	Server.exe
2988	keygen.exe
4348	Server.exe
4648	Server.exe
3056	keygen.exe
1956	Server.exe
5016	Server.exe
1772	keygen.exe
636	Server.exe
2908	Server.exe
3848	keygen.exe

Loads dropped DLL 64 IoCs

pid	Process
3088	Install.exe
428	HCUA.exe
428	HCUA.exe
428	HCUA.exe
4868	keygen.exe
4868	keygen.exe
4868	keygen.exe
1200	keygen.exe
1200	keygen.exe
1200	keygen.exe
1048	Server.exe
1048	Server.exe
1048	Server.exe
3800	Server.exe
3800	Server.exe
3800	Server.exe
3268	keygen.exe
3268	keygen.exe
3268	keygen.exe
764	Server.exe
764	Server.exe
764	Server.exe
1552	keygen.exe
1552	keygen.exe
1552	keygen.exe
1420	keygen.exe
1420	keygen.exe
1916	Server.exe
1916	Server.exe
1916	Server.exe
1420	keygen.exe
4576	Server.exe
4576	Server.exe
4576	Server.exe
4568	keygen.exe
4568	keygen.exe
4568	keygen.exe
1936	Server.exe
1936	Server.exe
1936	Server.exe
1012	Server.exe
1012	Server.exe
1012	Server.exe
2904	Server.exe
2904	Server.exe
2904	Server.exe
3224	keygen.exe
3224	keygen.exe
3224	keygen.exe
4204	keygen.exe
4204	keygen.exe
4204	keygen.exe
4540	Server.exe
4540	Server.exe
4540	Server.exe
2560	Server.exe
2560	Server.exe
2560	Server.exe
2988	keygen.exe
4200	Server.exe
4200	Server.exe
4200	Server.exe
2988	keygen.exe
2988	keygen.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HCUA Agent = "C:\\Windows\\SysWOW64\\28463\\HCUA.exe"	HCUA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe
File opened for modification	\??\PhysicalDrive0	Server.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	HCUA.exe
File created	C:\Windows\SysWOW64\28463\HCUA.001	Install.exe
File created	C:\Windows\SysWOW64\28463\HCUA.006	Install.exe
File created	C:\Windows\SysWOW64\28463\HCUA.007	Install.exe
File created	C:\Windows\SysWOW64\28463\HCUA.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 1936	1048	Server.exe	97
PID 3800 set thread context of 1012	3800	Server.exe	98
PID 764 set thread context of 4540	764	Server.exe	101
PID 1916 set thread context of 4348	1916	Server.exe	108
PID 4576 set thread context of 1956	4576	Server.exe	115
PID 2904 set thread context of 636	2904	Server.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 25 IoCs

pid	pid_target	Process	procid_target
1120	3860	WerFault.exe	126
4696	4964	WerFault.exe	154
3000	1132	WerFault.exe	159
3656	4272	WerFault.exe	171
4756	5104	WerFault.exe	186
2020	3104	WerFault.exe	211
5036	4248	WerFault.exe	225
3420	3972	WerFault.exe	251
2988	4760	WerFault.exe	254
4812	4708	WerFault.exe	262
2732	4324	WerFault.exe	270
952	4628	WerFault.exe	285
4300	3968	WerFault.exe	290
3464	1072	WerFault.exe	322
3496	3224	WerFault.exe	326
2088	2984	WerFault.exe	334
2060	1668	WerFault.exe	369
1588	1480	WerFault.exe	373
4568	4280	WerFault.exe	386
1468	1524	WerFault.exe	418
3960	3056	WerFault.exe	448
4416	4756	WerFault.exe	455
3420	4232	WerFault.exe	471
3988	4396	WerFault.exe	470
4300	1316	WerFault.exe	476

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HCUA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 44 IoCs

evasion

pid	Process
1744	timeout.exe
3000	timeout.exe
2796	timeout.exe
4024	timeout.exe
3520	timeout.exe
4428	timeout.exe
5036	timeout.exe
244	timeout.exe
2888	timeout.exe
2488	timeout.exe
1588	timeout.exe
2768	timeout.exe
1828	timeout.exe
720	timeout.exe
3416	timeout.exe
4668	timeout.exe
3648	timeout.exe
1272	timeout.exe
2592	timeout.exe
4280	timeout.exe
4856	timeout.exe
624	timeout.exe
1524	timeout.exe
2640	timeout.exe
1404	timeout.exe
4436	timeout.exe
400	timeout.exe
2680	timeout.exe
1396	timeout.exe
4028	timeout.exe
1500	timeout.exe
2696	timeout.exe
4188	timeout.exe
2128	timeout.exe
2008	timeout.exe
1636	timeout.exe
4280	timeout.exe
4672	timeout.exe
3260	timeout.exe
1316	timeout.exe
2624	timeout.exe
1780	timeout.exe
4052	timeout.exe
2820	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	428	HCUA.exe
Token: SeIncBasePriorityPrivilege	428	HCUA.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
428	HCUA.exe
428	HCUA.exe
428	HCUA.exe
428	HCUA.exe
428	HCUA.exe
1048	Server.exe
3800	Server.exe
764	Server.exe
1916	Server.exe
4576	Server.exe
2904	Server.exe
2560	Server.exe
4200	Server.exe
4648	Server.exe
5016	Server.exe
2908	Server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3088	1188	2e57f267250cc56b48dc1db078304b97_JaffaCakes118.exe	85
PID 1188 wrote to memory of 3088	1188	2e57f267250cc56b48dc1db078304b97_JaffaCakes118.exe	85
PID 1188 wrote to memory of 3088	1188	2e57f267250cc56b48dc1db078304b97_JaffaCakes118.exe	85
PID 3088 wrote to memory of 428	3088	Install.exe	87
PID 3088 wrote to memory of 428	3088	Install.exe	87
PID 3088 wrote to memory of 428	3088	Install.exe	87
PID 3088 wrote to memory of 4868	3088	Install.exe	88
PID 3088 wrote to memory of 4868	3088	Install.exe	88
PID 3088 wrote to memory of 4868	3088	Install.exe	88
PID 4868 wrote to memory of 1048	4868	keygen.exe	89
PID 4868 wrote to memory of 1048	4868	keygen.exe	89
PID 4868 wrote to memory of 1048	4868	keygen.exe	89
PID 4868 wrote to memory of 1200	4868	keygen.exe	90
PID 4868 wrote to memory of 1200	4868	keygen.exe	90
PID 4868 wrote to memory of 1200	4868	keygen.exe	90
PID 1200 wrote to memory of 3800	1200	keygen.exe	91
PID 1200 wrote to memory of 3800	1200	keygen.exe	91
PID 1200 wrote to memory of 3800	1200	keygen.exe	91
PID 1200 wrote to memory of 3268	1200	keygen.exe	92
PID 1200 wrote to memory of 3268	1200	keygen.exe	92
PID 1200 wrote to memory of 3268	1200	keygen.exe	92
PID 3268 wrote to memory of 764	3268	keygen.exe	93
PID 3268 wrote to memory of 764	3268	keygen.exe	93
PID 3268 wrote to memory of 764	3268	keygen.exe	93
PID 3268 wrote to memory of 1552	3268	keygen.exe	94
PID 3268 wrote to memory of 1552	3268	keygen.exe	94
PID 3268 wrote to memory of 1552	3268	keygen.exe	94
PID 1552 wrote to memory of 1916	1552	keygen.exe	95
PID 1552 wrote to memory of 1916	1552	keygen.exe	95
PID 1552 wrote to memory of 1916	1552	keygen.exe	95
PID 1552 wrote to memory of 1420	1552	keygen.exe	96
PID 1552 wrote to memory of 1420	1552	keygen.exe	96
PID 1552 wrote to memory of 1420	1552	keygen.exe	96
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 1420 wrote to memory of 4576	1420	keygen.exe	99
PID 1420 wrote to memory of 4576	1420	keygen.exe	99
PID 1420 wrote to memory of 4576	1420	keygen.exe	99
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 1420 wrote to memory of 4568	1420	keygen.exe	100
PID 1420 wrote to memory of 4568	1420	keygen.exe	100
PID 1420 wrote to memory of 4568	1420	keygen.exe	100
PID 764 wrote to memory of 4540	764	Server.exe	101
PID 764 wrote to memory of 4540	764	Server.exe	101
PID 764 wrote to memory of 4540	764	Server.exe	101
PID 1048 wrote to memory of 1936	1048	Server.exe	97
PID 3800 wrote to memory of 1012	3800	Server.exe	98
PID 764 wrote to memory of 4540	764	Server.exe	101
PID 764 wrote to memory of 4540	764	Server.exe	101
PID 764 wrote to memory of 4540	764	Server.exe	101
PID 4568 wrote to memory of 2904	4568	keygen.exe	102

C:\Users\Admin\AppData\Local\Temp\2e57f267250cc56b48dc1db078304b97_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e57f267250cc56b48dc1db078304b97_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Windows\SysWOW64\28463\HCUA.exe
    "C:\Windows\system32\28463\HCUA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:428
- - C:\Users\Admin\AppData\Local\Temp\keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1936
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3268
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:244
      - C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        10⤵
        Delays execution with timeout.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        11⤵
        Delays execution with timeout.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        11⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        12⤵
        Delays execution with timeout.exe
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 312
        12⤵
        Program crash
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        13⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        14⤵
        Delays execution with timeout.exe
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        14⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        15⤵
        Delays execution with timeout.exe
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        15⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        16⤵
        Delays execution with timeout.exe
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        
        PID:68
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        16⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        17⤵
        Delays execution with timeout.exe
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 312
        17⤵
        Program crash
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        15⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 316
        18⤵
        Program crash
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        16⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        18⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        19⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        20⤵
        Delays execution with timeout.exe
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        17⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        18⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 312
        20⤵
        Program crash
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        18⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        20⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        21⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        22⤵
        Delays execution with timeout.exe
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        19⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        20⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        21⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 312
        22⤵
        Program crash
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        20⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        21⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        23⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        24⤵
        Delays execution with timeout.exe
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        21⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        23⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        24⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        25⤵
        Delays execution with timeout.exe
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        22⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        23⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        24⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        25⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        26⤵
        Delays execution with timeout.exe
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        23⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        24⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        25⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        26⤵
        
        PID:536
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        27⤵
        Delays execution with timeout.exe
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        24⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        25⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        26⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 312
        27⤵
        Program crash
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        25⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        26⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        27⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        28⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        29⤵
        Delays execution with timeout.exe
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        26⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        27⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        28⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 312
        29⤵
        Program crash
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        27⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        28⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        29⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        30⤵
        
        PID:892
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        31⤵
        Delays execution with timeout.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        28⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        29⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        30⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        31⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        32⤵
        Delays execution with timeout.exe
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        29⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        30⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        31⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        32⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        33⤵
        Delays execution with timeout.exe
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        30⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        31⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        32⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        33⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        34⤵
        Delays execution with timeout.exe
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        31⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        32⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        33⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 312
        34⤵
        Program crash
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        32⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        33⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        34⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 312
        35⤵
        Program crash
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        33⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        34⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        35⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 312
        36⤵
        Program crash
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        34⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        35⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        36⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 312
        37⤵
        Program crash
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        35⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        36⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        37⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        38⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        39⤵
        Delays execution with timeout.exe
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        36⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        37⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        38⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        39⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        40⤵
        Delays execution with timeout.exe
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        37⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        38⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        39⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 312
        40⤵
        Program crash
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        38⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        39⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        40⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 312
        41⤵
        Program crash
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        39⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        40⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        41⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        42⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        43⤵
        Delays execution with timeout.exe
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        40⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        41⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        42⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        43⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        44⤵
        Delays execution with timeout.exe
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        41⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        42⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        43⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        44⤵
        
        PID:924
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        45⤵
        Delays execution with timeout.exe
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        42⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        43⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        44⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        45⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        46⤵
        Delays execution with timeout.exe
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        43⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        44⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        45⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        46⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        47⤵
        Delays execution with timeout.exe
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        44⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        45⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        46⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 312
        47⤵
        Program crash
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        45⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        46⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        47⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 312
        48⤵
        Program crash
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        46⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        47⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        48⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 312
        49⤵
        Program crash
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        47⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        48⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        49⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        50⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        51⤵
        Delays execution with timeout.exe
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        48⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        49⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        50⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        51⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        52⤵
        Delays execution with timeout.exe
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        49⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        50⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        51⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        52⤵
        
        PID:1056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        53⤵
        Delays execution with timeout.exe
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        50⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        51⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        52⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        53⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        54⤵
        Delays execution with timeout.exe
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        51⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        52⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        53⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        54⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        55⤵
        Delays execution with timeout.exe
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        52⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        53⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        54⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 328
        55⤵
        Program crash
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        53⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        54⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        55⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 312
        56⤵
        Program crash
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        54⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        55⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        56⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        57⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        58⤵
        Delays execution with timeout.exe
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        55⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        56⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        57⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 312
        58⤵
        Program crash
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        56⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        57⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        58⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        59⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        60⤵
        Delays execution with timeout.exe
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        57⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        58⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        59⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        60⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        61⤵
        Delays execution with timeout.exe
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        58⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        59⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        60⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        61⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        62⤵
        Delays execution with timeout.exe
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        59⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        60⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        61⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        62⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        63⤵
        Delays execution with timeout.exe
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        60⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        61⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        62⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        63⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        64⤵
        Delays execution with timeout.exe
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        61⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        62⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        63⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 312
        64⤵
        Program crash
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        62⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        63⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        64⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        65⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        66⤵
        Delays execution with timeout.exe
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        63⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        64⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        65⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        66⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        67⤵
        Delays execution with timeout.exe
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        64⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        65⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        66⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        67⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        68⤵
        Delays execution with timeout.exe
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        65⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        66⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        67⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        68⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        69⤵
        Delays execution with timeout.exe
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        66⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        67⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        68⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 312
        69⤵
        Program crash
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        67⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        68⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        69⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 312
        70⤵
        Program crash
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        68⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        69⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        70⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        71⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        72⤵
        Delays execution with timeout.exe
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        69⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        70⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        71⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 312
        72⤵
        Program crash
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        70⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        71⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        72⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 312
        73⤵
        Program crash
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        71⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        72⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        73⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 312
        74⤵
        Program crash
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        72⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        73⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        74⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        75⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        73⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        74⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        75⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        76⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        74⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        75⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        76⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\Server.exe
        77⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        75⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        76⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        77⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        76⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        77⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        78⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        77⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        78⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        79⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        78⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        79⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        80⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        79⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        80⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        80⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        81⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\keygen.exe
        
        "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
        81⤵
        
        PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3860 -ip 3860
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4964 -ip 4964
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1132 -ip 1132
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4272 -ip 4272
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 5104 -ip 5104
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3104 -ip 3104
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4248 -ip 4248
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3972 -ip 3972
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4760 -ip 4760
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4708 -ip 4708
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4324 -ip 4324
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4628 -ip 4628
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3968 -ip 3968
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1072 -ip 1072
1⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3224 -ip 3224
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2984 -ip 2984
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1668 -ip 1668
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1480 -ip 1480
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4280 -ip 4280
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1524 -ip 1524
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3056 -ip 3056
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4756 -ip 4756
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4396 -ip 4396
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4232 -ip 4232
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1316 -ip 1316
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8EE2.tmp

Filesize
4KB

MD5
25530555085337eb644b061f239aa9d4

SHA1
8d91e099aba5439d4bfa8bce464c94e3e1acf620

SHA256
3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325

SHA512
b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1009KB

MD5
92cc49351c78a81211a12f97cabf810c

SHA1
403a7f412a1d5accd7f16ac4629cf50577bff263

SHA256
4f8fd1af6bdaabfd536c93cf78ae451615ff1b0f3889b8d6ab40404324f02a51

SHA512
cf589b811e635dd8a3af2286a21efaa1e3768a77b45dcdd7242e590b20e3a5ccca8c84a7c8987c9465373896d94e407d7ce5e19b33381d7c04b3c61da3457b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
516KB

MD5
22d2efe7bad26ed8da38abcf9de3be97

SHA1
9d619d5dec8c2350226c3f817c46fce551973847

SHA256
4764e7e0f0f2edcc5e0234880bc5996ae2cb4f84cb7e3f6d8d70562afc88f2bb

SHA512
bee0ff369b7498dd4b4a994b0ba3c80dfeef74c0cec9b47323d04893c89a2f102863c6e627acb579b4457bf3dc3eac79eaf37616e3834d59ec9a75d94dc1c057

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
513KB

MD5
137908119c07ee5da0f191ee183d8112

SHA1
302d5fec12ddc8da2605e0207447cecc81e23071

SHA256
e423dda0815091f3fbe79631df6a2bcee3c684fc17434734c323454564953571

SHA512
545c851ff7a0cdeb41431c5c03533ce5e91f53d1e4d924e8cc0343d40c4568c9e98ccd24e15e6be915870fed43951b2baafb2a45f962e3ed39a97a50f1e238f9

Download Submit
C:\Users\Admin\AppData\Roaming\chrtmp

Filesize
114KB

MD5
2dc3133caeb5792be5e5c6c2fa812e34

SHA1
0ed75d85c6a2848396d5dd30e89987f0a8b5cedb

SHA256
4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7

SHA512
2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
d63cc8679a63448db1c64252e14e4ab5

SHA1
10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e

SHA256
29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d

SHA512
cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

Download Submit
C:\Windows\SysWOW64\28463\HCUA.001

Filesize
452B

MD5
11e14155718e261dfa77081945e85834

SHA1
2fe35cd73a8fdc53a696a29fbcc06f8aa5b5d701

SHA256
a19b499aeaf1e3740c1ca4babb2644511b8894954eebfd3c12fd1c87def695de

SHA512
d798d8a89e1021f9fcc04a3200e31d70a5009d21fec654795e2d05dd05e2cabed44895e9b4c3118dc51ede9c47a0418282e1d048f62dc0364a74f7135283f6cc

Download Submit
C:\Windows\SysWOW64\28463\HCUA.006

Filesize
8KB

MD5
81e20f4361cf8f5a57812871c24d945e

SHA1
5d7877d6959ab26599b05795a71633f00c37a3da

SHA256
e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d

SHA512
69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

Download Submit
C:\Windows\SysWOW64\28463\HCUA.007

Filesize
5KB

MD5
e9fbdcc2f5fb657fa519b3f5c69fc52d

SHA1
c49cca77b46a59d620711de7564d43e5dafcd2b5

SHA256
cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4

SHA512
913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

Download Submit
C:\Windows\SysWOW64\28463\HCUA.exe

Filesize
473KB

MD5
97d8ad45f48b4b28a93aab94699b7168

SHA1
8b69b7fd7c008b95d12386f6da415097e72151de

SHA256
661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331

SHA512
3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

Download Submit
memory/68-199-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/428-42-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/636-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1012-125-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1132-220-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1188-46-0x00007FFC5AAA0000-0x00007FFC5B441000-memory.dmp

Filesize
9.6MB

Download
memory/1188-3-0x00007FFC5AAA0000-0x00007FFC5B441000-memory.dmp

Filesize
9.6MB

Download
memory/1188-0-0x00007FFC5AD55000-0x00007FFC5AD56000-memory.dmp

Filesize
4KB

Download
memory/1188-2-0x00007FFC5AAA0000-0x00007FFC5B441000-memory.dmp

Filesize
9.6MB

Download
memory/1936-103-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1936-109-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1936-128-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-191-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1956-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2844-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-171-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3232-231-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3612-219-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3860-179-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4272-234-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4348-147-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4540-137-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4964-210-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads