redline | c9b0e483c2da25ee7d0373fe7d08fcccf72e297b2ce6f2d247ee80c31532b6af

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6868e16886a76b94bb06530de0824102.exe
Size

4.4MB
MD5

6868e16886a76b94bb06530de0824102
SHA1

9561f6032df93c9bfeba7e0b7569205ca4c08494
SHA256

85a34b22de48d67cc0a3f669704ad180a2b230739bca0c163592aff05e4ab061
SHA512

58b2f7496347bca9956b1d9a77b6e6ecf2266677eef5079daa21f7d7f3bea4008004d908cdce7215d0cdd520b3787c03de053565bb21be160b4dc9aa9849ff9e
SSDEEP

12288:eHXjFFlqzTzIuKba6tmsynwzuLahORU8tk7DovbkSSlGZ7mSRWw704z8:OA7dHRQ

Score

10^/10

redline sectoprat discovery infostealer rat trojan

Malware Config

Extracted

Family

redline

89.41.26.185:49115

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/4628-8-0x0000000000400000-0x000000000044C000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4628-8-0x0000000000400000-0x000000000044C000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 3412 set thread context of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 2024 set thread context of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 3412 set thread context of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 3412 set thread context of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 540 set thread context of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 2024 set thread context of 3544	2024	6868e16886a76b94bb06530de0824102.exe	112
PID 3412 set thread context of 3140	3412	6868e16886a76b94bb06530de0824102.exe	114
PID 540 set thread context of 5096	540	6868e16886a76b94bb06530de0824102.exe	116
PID 2024 set thread context of 5028	2024	6868e16886a76b94bb06530de0824102.exe	117
PID 3544 set thread context of 2112	3544	6868e16886a76b94bb06530de0824102.exe	118
PID 3412 set thread context of 3996	3412	6868e16886a76b94bb06530de0824102.exe	119
PID 540 set thread context of 732	540	6868e16886a76b94bb06530de0824102.exe	120
PID 2024 set thread context of 4764	2024	6868e16886a76b94bb06530de0824102.exe	121
PID 3544 set thread context of 2200	3544	6868e16886a76b94bb06530de0824102.exe	122
PID 5028 set thread context of 4268	5028	6868e16886a76b94bb06530de0824102.exe	123
PID 3412 set thread context of 4344	3412	6868e16886a76b94bb06530de0824102.exe	124
PID 540 set thread context of 3060	540	6868e16886a76b94bb06530de0824102.exe	125
PID 2024 set thread context of 220	2024	6868e16886a76b94bb06530de0824102.exe	129
PID 3544 set thread context of 1560	3544	6868e16886a76b94bb06530de0824102.exe	131
PID 5028 set thread context of 1700	5028	6868e16886a76b94bb06530de0824102.exe	132
PID 540 set thread context of 3112	540	6868e16886a76b94bb06530de0824102.exe	135
PID 3412 set thread context of 4524	3412	6868e16886a76b94bb06530de0824102.exe	136
PID 2024 set thread context of 3480	2024	6868e16886a76b94bb06530de0824102.exe	139
PID 3544 set thread context of 5060	3544	6868e16886a76b94bb06530de0824102.exe	140
PID 5028 set thread context of 4588	5028	6868e16886a76b94bb06530de0824102.exe	142
PID 220 set thread context of 2776	220	6868e16886a76b94bb06530de0824102.exe	143
PID 540 set thread context of 5000	540	6868e16886a76b94bb06530de0824102.exe	145
PID 3412 set thread context of 688	3412	6868e16886a76b94bb06530de0824102.exe	146
PID 2024 set thread context of 1652	2024	6868e16886a76b94bb06530de0824102.exe	150
PID 3544 set thread context of 1668	3544	6868e16886a76b94bb06530de0824102.exe	152
PID 220 set thread context of 1140	220	6868e16886a76b94bb06530de0824102.exe	153
PID 5028 set thread context of 1088	5028	6868e16886a76b94bb06530de0824102.exe	154
PID 540 set thread context of 4824	540	6868e16886a76b94bb06530de0824102.exe	156
PID 3412 set thread context of 4628	3412	6868e16886a76b94bb06530de0824102.exe	158
PID 2024 set thread context of 4068	2024	6868e16886a76b94bb06530de0824102.exe	162
PID 3544 set thread context of 964	3544	6868e16886a76b94bb06530de0824102.exe	163
PID 220 set thread context of 4512	220	6868e16886a76b94bb06530de0824102.exe	166
PID 1652 set thread context of 4756	1652	6868e16886a76b94bb06530de0824102.exe	167
PID 5028 set thread context of 1596	5028	6868e16886a76b94bb06530de0824102.exe	168
PID 540 set thread context of 4940	540	6868e16886a76b94bb06530de0824102.exe	169
PID 3412 set thread context of 4700	3412	6868e16886a76b94bb06530de0824102.exe	171
PID 3544 set thread context of 3636	3544	6868e16886a76b94bb06530de0824102.exe	175
PID 2024 set thread context of 3504	2024	6868e16886a76b94bb06530de0824102.exe	174
PID 220 set thread context of 3304	220	6868e16886a76b94bb06530de0824102.exe	179
PID 4068 set thread context of 3060	4068	6868e16886a76b94bb06530de0824102.exe	178
PID 1652 set thread context of 3812	1652	6868e16886a76b94bb06530de0824102.exe	180
PID 5028 set thread context of 3032	5028	6868e16886a76b94bb06530de0824102.exe	181
PID 540 set thread context of 4732	540	6868e16886a76b94bb06530de0824102.exe	184
PID 3412 set thread context of 1560	3412	6868e16886a76b94bb06530de0824102.exe	185
PID 3544 set thread context of 4312	3544	6868e16886a76b94bb06530de0824102.exe	187
PID 2024 set thread context of 5092	2024	6868e16886a76b94bb06530de0824102.exe	188
PID 220 set thread context of 1600	220	6868e16886a76b94bb06530de0824102.exe	189
PID 4068 set thread context of 2524	4068	6868e16886a76b94bb06530de0824102.exe	190
PID 3504 set thread context of 2904	3504	6868e16886a76b94bb06530de0824102.exe	191
PID 1652 set thread context of 4112	1652	6868e16886a76b94bb06530de0824102.exe	192
PID 5028 set thread context of 4860	5028	6868e16886a76b94bb06530de0824102.exe	193
PID 540 set thread context of 3040	540	6868e16886a76b94bb06530de0824102.exe	196
PID 3412 set thread context of 5000	3412	6868e16886a76b94bb06530de0824102.exe	197
PID 3544 set thread context of 3248	3544	6868e16886a76b94bb06530de0824102.exe	198
PID 2024 set thread context of 2224	2024	6868e16886a76b94bb06530de0824102.exe	199
PID 220 set thread context of 3308	220	6868e16886a76b94bb06530de0824102.exe	201
PID 3504 set thread context of 2912	3504	6868e16886a76b94bb06530de0824102.exe	202
PID 4068 set thread context of 2408	4068	6868e16886a76b94bb06530de0824102.exe	203

Program crash 64 IoCs

pid	pid_target	Process	procid_target
3932	4628	WerFault.exe	93
3148	3608	WerFault.exe	107
824	732	WerFault.exe	120
216	4764	WerFault.exe	121
1196	4268	WerFault.exe	123
1920	3060	WerFault.exe	125
2472	1560	WerFault.exe	131
3408	4524	WerFault.exe	136
4196	3480	WerFault.exe	139
3740	5000	WerFault.exe	145
4984	1668	WerFault.exe	152
5044	4824	WerFault.exe	156
1196	964	WerFault.exe	163
2384	1596	WerFault.exe	168
4600	3812	WerFault.exe	180
2604	5092	WerFault.exe	188
2308	2904	WerFault.exe	191
1552	4112	WerFault.exe	192
2472	3248	WerFault.exe	198
5168	428	WerFault.exe	218
5312	4268	WerFault.exe	226
5632	1004	WerFault.exe	231
5624	2604	WerFault.exe	229
5832	5400	WerFault.exe	244
5420	5932	WerFault.exe	267
5604	5960	WerFault.exe	268
5716	6000	WerFault.exe	270
5260	4700	WerFault.exe	277
5432	5892	WerFault.exe	291
6248	5092	WerFault.exe	294
6284	6140	WerFault.exe	304
6780	6204	WerFault.exe	321
6224	6636	WerFault.exe	337
2168	6996	WerFault.exe	350
1864	7016	WerFault.exe	351
7048	7068	WerFault.exe	353
7312	6804	WerFault.exe	372
7568	6208	WerFault.exe	388
7620	6220	WerFault.exe	389
7708	6640	WerFault.exe	391
7404	7684	WerFault.exe	413
7880	7988	WerFault.exe	428
7312	8096	WerFault.exe	431
7852	8164	WerFault.exe	433
8656	6180	WerFault.exe	463
8648	7724	WerFault.exe	465
8868	7552	WerFault.exe	472
8912	8228	WerFault.exe	476
7624	8208	WerFault.exe	515
8164	7612	WerFault.exe	518
8716	8276	WerFault.exe	519
9284	8592	WerFault.exe	525
4076	9764	WerFault.exe	573
9856	9864	WerFault.exe	580
1796	9900	WerFault.exe	582
536	10044	WerFault.exe	586
376	468	WerFault.exe	613
10232	9272	WerFault.exe	621
212	4256	WerFault.exe	640
7072	9812	WerFault.exe	655
3104	5088	WerFault.exe	660
2520	9976	WerFault.exe	670
10180	10120	WerFault.exe	673
8564	10232	WerFault.exe	676

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6868e16886a76b94bb06530de0824102.exe

Checks SCSI registry key(s) 3 TTPs 14 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2788	smss.exe
11176	Process not Found
5156	Process not Found
11196	Process not Found
11200	Process not Found
5284	smss.exe
11236	Process not Found
6428	Process not Found
9388	smss.exe
9668	smss.exe
2376	smss.exe
1660	smss.exe
5576	Process not Found
5420	Process not Found
6464	Process not Found
2892	Process not Found
6472	Process not Found
6496	Process not Found
6528	Process not Found
6576	Process not Found
5316	Process not Found
10704	Process not Found
6656	Process not Found
5668	Process not Found
1044	Process not Found
3220	Process not Found
6668	Process not Found
2300	Process not Found
4260	Process not Found
6704	Process not Found
6736	Process not Found
6352	Process not Found
6324	Process not Found
10716	Process not Found
5736	Process not Found
10840	Process not Found
10836	smss.exe
10892	Process not Found
10896	Process not Found
9296	smss.exe
2464	smss.exe
10944	Process not Found
7072	smss.exe
7244	smss.exe
10912	smss.exe
10928	smss.exe
10948	smss.exe
11024	Process not Found
10976	Process not Found
5112	Process not Found
4208	Process not Found
3828	Process not Found
11052	Process not Found
1692	Process not Found
3900	Process not Found
5024	Process not Found
3880	Process not Found
2120	Process not Found
2636	Process not Found
3688	Process not Found
11080	Process not Found
1892	Process not Found
944	Process not Found
11096	Process not Found

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	5668	dwm.exe
Token: SeChangeNotifyPrivilege	5668	dwm.exe
Token: 33	5668	dwm.exe
Token: SeIncBasePriorityPrivilege	5668	dwm.exe
Token: SeCreateGlobalPrivilege	8276	dwm.exe
Token: SeChangeNotifyPrivilege	8276	dwm.exe
Token: 33	8276	dwm.exe
Token: SeIncBasePriorityPrivilege	8276	dwm.exe
Token: SeCreateGlobalPrivilege	5820	dwm.exe
Token: SeChangeNotifyPrivilege	5820	dwm.exe
Token: 33	5820	dwm.exe
Token: SeIncBasePriorityPrivilege	5820	dwm.exe
Token: SeCreateGlobalPrivilege	1320	dwm.exe
Token: SeChangeNotifyPrivilege	1320	dwm.exe
Token: 33	1320	dwm.exe
Token: SeIncBasePriorityPrivilege	1320	dwm.exe
Token: SeCreateGlobalPrivilege	5332	dwm.exe
Token: SeChangeNotifyPrivilege	5332	dwm.exe
Token: 33	5332	dwm.exe
Token: SeIncBasePriorityPrivilege	5332	dwm.exe
Token: SeCreateGlobalPrivilege	10140	dwm.exe
Token: SeChangeNotifyPrivilege	10140	dwm.exe
Token: 33	10140	dwm.exe
Token: SeIncBasePriorityPrivilege	10140	dwm.exe
Token: SeCreateGlobalPrivilege	7072	dwm.exe
Token: SeChangeNotifyPrivilege	7072	dwm.exe
Token: 33	7072	dwm.exe
Token: SeIncBasePriorityPrivilege	7072	dwm.exe
Token: SeCreateGlobalPrivilege	5820	dwm.exe
Token: SeChangeNotifyPrivilege	5820	dwm.exe
Token: 33	5820	dwm.exe
Token: SeIncBasePriorityPrivilege	5820	dwm.exe

Suspicious use of UnmapMainImage 64 IoCs

pid	Process
4628	6868e16886a76b94bb06530de0824102.exe
3608	6868e16886a76b94bb06530de0824102.exe
732	6868e16886a76b94bb06530de0824102.exe
4764	6868e16886a76b94bb06530de0824102.exe
4268	6868e16886a76b94bb06530de0824102.exe
3060	6868e16886a76b94bb06530de0824102.exe
688	6868e16886a76b94bb06530de0824102.exe
1560	6868e16886a76b94bb06530de0824102.exe
4524	6868e16886a76b94bb06530de0824102.exe
3480	6868e16886a76b94bb06530de0824102.exe
5000	6868e16886a76b94bb06530de0824102.exe
4700	6868e16886a76b94bb06530de0824102.exe
1668	6868e16886a76b94bb06530de0824102.exe
4824	6868e16886a76b94bb06530de0824102.exe
964	6868e16886a76b94bb06530de0824102.exe
1596	6868e16886a76b94bb06530de0824102.exe
5000	6868e16886a76b94bb06530de0824102.exe
3812	6868e16886a76b94bb06530de0824102.exe
2408	6868e16886a76b94bb06530de0824102.exe
964	6868e16886a76b94bb06530de0824102.exe
5092	6868e16886a76b94bb06530de0824102.exe
2904	6868e16886a76b94bb06530de0824102.exe
4112	6868e16886a76b94bb06530de0824102.exe
3248	6868e16886a76b94bb06530de0824102.exe
5140	6868e16886a76b94bb06530de0824102.exe
5200	6868e16886a76b94bb06530de0824102.exe
5292	6868e16886a76b94bb06530de0824102.exe
428	6868e16886a76b94bb06530de0824102.exe
4268	6868e16886a76b94bb06530de0824102.exe
1004	6868e16886a76b94bb06530de0824102.exe
2604	6868e16886a76b94bb06530de0824102.exe
5400	6868e16886a76b94bb06530de0824102.exe
2472	6868e16886a76b94bb06530de0824102.exe
5488	6868e16886a76b94bb06530de0824102.exe
4268	6868e16886a76b94bb06530de0824102.exe
5932	6868e16886a76b94bb06530de0824102.exe
5960	6868e16886a76b94bb06530de0824102.exe
6000	6868e16886a76b94bb06530de0824102.exe
5876	6868e16886a76b94bb06530de0824102.exe
5808	6868e16886a76b94bb06530de0824102.exe
4700	6868e16886a76b94bb06530de0824102.exe
5696	6868e16886a76b94bb06530de0824102.exe
5892	6868e16886a76b94bb06530de0824102.exe
5092	6868e16886a76b94bb06530de0824102.exe
6140	6868e16886a76b94bb06530de0824102.exe
6204	6868e16886a76b94bb06530de0824102.exe
7056	6868e16886a76b94bb06530de0824102.exe
5720	6868e16886a76b94bb06530de0824102.exe
2260	6868e16886a76b94bb06530de0824102.exe
6636	6868e16886a76b94bb06530de0824102.exe
6996	6868e16886a76b94bb06530de0824102.exe
7016	6868e16886a76b94bb06530de0824102.exe
7068	6868e16886a76b94bb06530de0824102.exe
1364	6868e16886a76b94bb06530de0824102.exe
7208	6868e16886a76b94bb06530de0824102.exe
7300	6868e16886a76b94bb06530de0824102.exe
7356	6868e16886a76b94bb06530de0824102.exe
6804	6868e16886a76b94bb06530de0824102.exe
7848	6868e16886a76b94bb06530de0824102.exe
7892	6868e16886a76b94bb06530de0824102.exe
6220	6868e16886a76b94bb06530de0824102.exe
6208	6868e16886a76b94bb06530de0824102.exe
6640	6868e16886a76b94bb06530de0824102.exe
3560	6868e16886a76b94bb06530de0824102.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 2024 wrote to memory of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 2024 wrote to memory of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 2024 wrote to memory of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 2024 wrote to memory of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 2024 wrote to memory of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 2024 wrote to memory of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 2024 wrote to memory of 3412	2024	6868e16886a76b94bb06530de0824102.exe	87
PID 2024 wrote to memory of 4832	2024	6868e16886a76b94bb06530de0824102.exe	92
PID 2024 wrote to memory of 4832	2024	6868e16886a76b94bb06530de0824102.exe	92
PID 2024 wrote to memory of 4832	2024	6868e16886a76b94bb06530de0824102.exe	92
PID 3412 wrote to memory of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 3412 wrote to memory of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 3412 wrote to memory of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 2024 wrote to memory of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 2024 wrote to memory of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 2024 wrote to memory of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 3412 wrote to memory of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 3412 wrote to memory of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 3412 wrote to memory of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 3412 wrote to memory of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 3412 wrote to memory of 4628	3412	6868e16886a76b94bb06530de0824102.exe	93
PID 3412 wrote to memory of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 3412 wrote to memory of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 3412 wrote to memory of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 2024 wrote to memory of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 2024 wrote to memory of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 2024 wrote to memory of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 2024 wrote to memory of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 2024 wrote to memory of 540	2024	6868e16886a76b94bb06530de0824102.exe	98
PID 2024 wrote to memory of 3040	2024	6868e16886a76b94bb06530de0824102.exe	106
PID 2024 wrote to memory of 3040	2024	6868e16886a76b94bb06530de0824102.exe	106
PID 2024 wrote to memory of 3040	2024	6868e16886a76b94bb06530de0824102.exe	106
PID 3412 wrote to memory of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 3412 wrote to memory of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 3412 wrote to memory of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 3412 wrote to memory of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 3412 wrote to memory of 2960	3412	6868e16886a76b94bb06530de0824102.exe	100
PID 3412 wrote to memory of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 3412 wrote to memory of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 3412 wrote to memory of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 540 wrote to memory of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 540 wrote to memory of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 540 wrote to memory of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 2024 wrote to memory of 3544	2024	6868e16886a76b94bb06530de0824102.exe	112
PID 2024 wrote to memory of 3544	2024	6868e16886a76b94bb06530de0824102.exe	112
PID 2024 wrote to memory of 3544	2024	6868e16886a76b94bb06530de0824102.exe	112
PID 3412 wrote to memory of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 3412 wrote to memory of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 3412 wrote to memory of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 3412 wrote to memory of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 3412 wrote to memory of 3608	3412	6868e16886a76b94bb06530de0824102.exe	107
PID 3412 wrote to memory of 3140	3412	6868e16886a76b94bb06530de0824102.exe	114
PID 3412 wrote to memory of 3140	3412	6868e16886a76b94bb06530de0824102.exe	114
PID 3412 wrote to memory of 3140	3412	6868e16886a76b94bb06530de0824102.exe	114
PID 540 wrote to memory of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 540 wrote to memory of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 540 wrote to memory of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 540 wrote to memory of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 540 wrote to memory of 2380	540	6868e16886a76b94bb06530de0824102.exe	109
PID 540 wrote to memory of 5096	540	6868e16886a76b94bb06530de0824102.exe	116
PID 540 wrote to memory of 5096	540	6868e16886a76b94bb06530de0824102.exe	116
PID 540 wrote to memory of 5096	540	6868e16886a76b94bb06530de0824102.exe	116
PID 2024 wrote to memory of 3544	2024	6868e16886a76b94bb06530de0824102.exe	112

C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
"C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 12
      4⤵
      Program crash
      PID:3932
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:3608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 12
      4⤵
      Program crash
      PID:3148
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3140
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3996
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 12
      4⤵
      Program crash
      PID:3408
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4700
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:964
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 12
      4⤵
      Program crash
      PID:5312
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5292
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5704
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6068
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5308
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5300
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6316
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6752
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5876
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6524
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7364
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 12
      4⤵
      Program crash
      PID:7880
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7700
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8220
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8860
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8696
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9244
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9900 -s 12
      4⤵
      Program crash
      PID:1796
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4152
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9820
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 12
      4⤵
      Program crash
      PID:3104
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9860
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2440
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9800
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:868
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5536
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11188
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5096
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 12
      4⤵
      Program crash
      PID:824
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:3060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 12
      4⤵
      Program crash
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3112
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 12
      4⤵
      Program crash
      PID:3740
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 12
      4⤵
      Program crash
      PID:5044
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4940
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4732
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1880
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:804
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5272
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5672
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5724
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6356
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6772
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6216
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6724
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:7356
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7968
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7784
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8228 -s 12
      4⤵
      Program crash
      PID:8912
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8844
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7948
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9260
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9916
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9264
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8096
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7240
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5948
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4276
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5284
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11204
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3544
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2200
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:1560
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 12
      4⤵
      Program crash
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5060
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:1668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 12
      4⤵
      Program crash
      PID:4984
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 12
      4⤵
      Program crash
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4312
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:3248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 12
      4⤵
      Program crash
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4952
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:964
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5360
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5760
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4712
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 12
      4⤵
      Program crash
      PID:5432
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6384
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6852
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6364
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6252
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7432
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8036
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7932
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8288
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8952
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8744
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9344
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9940
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9956
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:32
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9732
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8736
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8736 -s 12
      4⤵
      PID:9824
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8680
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10684 -s 12
      4⤵
      PID:10680
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11260
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 12
      4⤵
      Program crash
      PID:1196
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:1596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 12
      4⤵
      Program crash
      PID:2384
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4860
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4300
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1768
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5200
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5560
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:6000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 12
      4⤵
      Program crash
      PID:5716
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5524
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5808
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6192
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6660
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7136
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3568
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7264
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7916
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7900
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8772
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8568
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9864 -s 12
      4⤵
      Program crash
      PID:9856
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9852
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9704
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9264
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9672
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7072
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8220
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3184
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10060
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11128
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:4764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 12
    3⤵
    - Program crash
    PID:216
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3304
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3308
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 12
      4⤵
      Program crash
      PID:5168
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5412
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5844
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6104
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5660
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6420
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6912
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6140
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7508
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8096 -s 12
      4⤵
      Program crash
      PID:7312
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8024
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8352
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8996
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8820
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9384
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9976
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 728
      4⤵
      Program crash
      PID:376
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9680
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1412
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 12
      4⤵
      PID:10736
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10708
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3116
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:3480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 12
    3⤵
    - Program crash
    PID:4196
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:3812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 12
      4⤵
      Program crash
      PID:4600
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 12
      4⤵
      Program crash
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5216
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5612
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6032
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5712
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:6140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 12
      4⤵
      Program crash
      PID:6284
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:6204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6204 -s 12
      4⤵
      Program crash
      PID:6780
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6692
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5720
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6236
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:7300
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7940
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7608
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7552 -s 12
      4⤵
      Program crash
      PID:8868
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8804
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8440
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:212
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9876
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9860
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9732
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9804
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9836
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5356
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5880
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4172
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4124
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11160
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4452
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5512
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5972
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5876
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6184
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:6636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 12
      4⤵
      Program crash
      PID:6224
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7120
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6200
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7240
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:7892
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7548
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6208
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8788
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8592 -s 12
      4⤵
      Program crash
      PID:9284
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8096
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9840
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9784
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9680
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9772
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7888
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8568
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9840
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4132
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11152
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:2904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 12
      4⤵
      Program crash
      PID:2308
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5140
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5492
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5960 -s 12
      4⤵
      Program crash
      PID:5604
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5232
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6164
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6648
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7084
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6788
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:7208
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:7848
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7920
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8708
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7560
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9820
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9672
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9824
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8716
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9544
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9720
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10140
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4308
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11100
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 12
    3⤵
    - Program crash
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:532
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5464
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 12
      4⤵
      Program crash
      PID:5420
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:4700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 12
      4⤵
      Program crash
      PID:5260
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2604
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5080
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6500
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6952
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6672
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:6220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6220 -s 12
      4⤵
      Program crash
      PID:7620
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7592
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8156
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7424
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8428
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9084
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1172
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9460
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10044 -s 12
      4⤵
      Program crash
      PID:536
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10052
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 12
      4⤵
      Program crash
      PID:212
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9952
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5128
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5508
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8164
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10780 -s 12
      4⤵
      PID:10776
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10724
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:1004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 12
      4⤵
      Program crash
      PID:5632
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5424
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5924
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:2472
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5328
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5832
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6596
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:7056
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:6804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6804 -s 12
      4⤵
      Program crash
      PID:7312
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7180
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7804
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7020
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1648
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8616
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8276 -s 12
      4⤵
      Program crash
      PID:8716
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8220
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9776
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9540
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9324
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7724
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9784
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5508
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11044
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:2604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 12
    3⤵
    - Program crash
    PID:5624
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:5400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 12
    3⤵
    - Program crash
    PID:5832
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:5788
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:5152
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 12
      4⤵
      Program crash
      PID:6248
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5716
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6544
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:7016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 12
      4⤵
      Program crash
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6688
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7776
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6276
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7716
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8604
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7612 -s 12
      4⤵
      Program crash
      PID:8164
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8764
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9764 -s 12
      4⤵
      Program crash
      PID:4076
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9336
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9692
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9668
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10232 -s 192
      4⤵
      Program crash
      PID:8564
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9312
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9296
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9868 -s 12
      4⤵
      PID:9844
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6048
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11016
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:5696
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6588
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:7068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 12
      4⤵
      Program crash
      PID:7048
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1004
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7820
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7048
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8668
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8304
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8872
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9812
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9556
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7872
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9812 -s 12
      4⤵
      Program crash
      PID:7072
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9232
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9336
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9232 -s 12
      4⤵
      PID:6084
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4004
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9800
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11088
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:5960
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6556
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:6996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 12
      4⤵
      Program crash
      PID:2168
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7732
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6148
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7724 -s 12
      4⤵
      Program crash
      PID:8648
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8548
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7920
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9688
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9612
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9296
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10176
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8656
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7612
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1120
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9692
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10948
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:736
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:6456
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:6920
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6700
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1204
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7664
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:3560
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7644
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8492
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9204 -s 1028
      4⤵
      PID:3272
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3984
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9572
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10208
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10116
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8540
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9976 -s 12
      4⤵
      Program crash
      PID:2520
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9900
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 12
      4⤵
      PID:2676
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:5688
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10868 -s 12
      4⤵
      PID:1116
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3952
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6440
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - Suspicious use of UnmapMainImage
    PID:6640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 12
      4⤵
      Program crash
      PID:7708
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7684 -s 12
      4⤵
      Program crash
      PID:7404
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7172
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 12
      4⤵
      Program crash
      PID:8656
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8512
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8208 -s 12
      4⤵
      Program crash
      PID:7624
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8660
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9720
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7948
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8652
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7244
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9224
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:6180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6180 -s 12
      4⤵
      PID:10128
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9976
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7244
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10972
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:11012
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:6208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6208 -s 12
    3⤵
    - Program crash
    PID:7568
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:7540
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8180
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4292
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8484
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9148
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9516
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10176
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8924
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8164
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9388
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9032
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9872
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:3556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 12
      4⤵
      PID:8
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8276
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10816
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10824
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:8164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8164 -s 12
    3⤵
    - Program crash
    PID:7852
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7324
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8520
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9176
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9612
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10224
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9272 -s 300
      4⤵
      Program crash
      PID:10232
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9576
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10204
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8340
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8216
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9768
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10888
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10908
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:8416
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7704
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8708
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9656
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4024
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8716
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 10120 -s 192
      4⤵
      Program crash
      PID:10180
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9968
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:4256
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1032
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10928
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:2580
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:9100
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7992
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9644
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8340
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:7072
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9648
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9236
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:8164
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9248
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:780
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9324
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:10912
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:1032
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:9048
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9524
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10136
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9236
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9288
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9884
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9864
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:9688
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:456
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10836
- - C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
    3⤵
    PID:696
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:9500
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:10088
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:9280
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:9552
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:10060
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:10648
- C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  C:\Users\Admin\AppData\Local\Temp\6868e16886a76b94bb06530de0824102.exe
  2⤵
  PID:11240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4628 -ip 4628
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3608 -ip 3608
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 732 -ip 732
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4764 -ip 4764
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4268 -ip 4268
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3060 -ip 3060
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1560 -ip 1560
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4524 -ip 4524
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3480 -ip 3480
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5000 -ip 5000
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 688 -ip 688
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1668 -ip 1668
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4824 -ip 4824
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1596 -ip 1596
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4700 -ip 4700
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3812 -ip 3812
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5092 -ip 5092
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2904 -ip 2904
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4112 -ip 4112
1⤵
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5000 -ip 5000
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3248 -ip 3248
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2408 -ip 2408
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 964 -ip 964
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 428 -ip 428
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4268 -ip 4268
1⤵
PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2604 -ip 2604
1⤵
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1004 -ip 1004
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5140 -ip 5140
1⤵
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5200 -ip 5200
1⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5292 -ip 5292
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5400 -ip 5400
1⤵
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5932 -ip 5932
1⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5960 -ip 5960
1⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6000 -ip 6000
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4700 -ip 4700
1⤵
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2472 -ip 2472
1⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5488 -ip 5488
1⤵
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4268 -ip 4268
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5892 -ip 5892
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5092 -ip 5092
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5808 -ip 5808
1⤵
PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5876 -ip 5876
1⤵
PID:6220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6140 -ip 6140
1⤵
PID:6228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5696 -ip 5696
1⤵
PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6204 -ip 6204
1⤵
PID:6716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6636 -ip 6636
1⤵
PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6996 -ip 6996
1⤵
PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7016 -ip 7016
1⤵
PID:6684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7068 -ip 7068
1⤵
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7056 -ip 7056
1⤵
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5720 -ip 5720
1⤵
PID:6764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2260 -ip 2260
1⤵
PID:7056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6804 -ip 6804
1⤵
PID:7172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6208 -ip 6208
1⤵
PID:7548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6220 -ip 6220
1⤵
PID:7600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6640 -ip 6640
1⤵
PID:7692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1364 -ip 1364
1⤵
PID:7788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7208 -ip 7208
1⤵
PID:7856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7300 -ip 7300
1⤵
PID:7932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7356 -ip 7356
1⤵
PID:7996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7684 -ip 7684
1⤵
PID:7324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7848 -ip 7848
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 7892 -ip 7892
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7988 -ip 7988
1⤵
PID:7844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 8096 -ip 8096
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8164 -ip 8164
1⤵
PID:7560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3560 -ip 3560
1⤵
PID:7568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7608 -ip 7608
1⤵
PID:8196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7700 -ip 7700
1⤵
PID:8212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7784 -ip 7784
1⤵
PID:8236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6180 -ip 6180
1⤵
PID:8536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 7724 -ip 7724
1⤵
PID:8560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1648 -ip 1648
1⤵
PID:8640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7920 -ip 7920
1⤵
PID:8720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 7552 -ip 7552
1⤵
PID:8812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 8220 -ip 8220
1⤵
PID:8852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 8228 -ip 8228
1⤵
PID:8876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 8548 -ip 8548
1⤵
PID:8252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 8708 -ip 8708
1⤵
PID:7404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 8844 -ip 8844
1⤵
PID:6264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 8208 -ip 8208
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 7612 -ip 7612
1⤵
PID:6220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8276 -ip 8276
1⤵
PID:7552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 8568 -ip 8568
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 8592 -ip 8592
1⤵
PID:8656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7948 -ip 7948
1⤵
PID:9252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1464 -ip 1464
1⤵
PID:9532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 7992 -ip 7992
1⤵
PID:9668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 8220 -ip 8220
1⤵
PID:9800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 8096 -ip 8096
1⤵
PID:9832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 9644 -ip 9644
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 9764 -ip 9764
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 9864 -ip 9864
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 9900 -ip 9900
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 10044 -ip 10044
1⤵
PID:9500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 7948 -ip 7948
1⤵
PID:8656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4152 -ip 4152
1⤵
PID:8896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4256 -ip 4256
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 9812 -ip 9812
1⤵
PID:9644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5088 -ip 5088
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 9976 -ip 9976
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 10232 -ip 10232
1⤵
PID:9668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6180 -ip 6180
1⤵
PID:9236

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8736 -ip 8736
1⤵
PID:8216

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:10176

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:8276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 8276 -s 2084
  2⤵
  PID:536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 8276 -ip 8276
1⤵
PID:9852

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5820

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4368

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2376

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5332 -s 648
  2⤵
  PID:8592

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:10140

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7072

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x444 0x150
1⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5508 -ip 5508
1⤵
PID:10236

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3952 -s 2716
1⤵
PID:1364

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:10140

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9872 -ip 9872
1⤵
PID:9540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4256 -ip 4256
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 9232 -ip 9232
1⤵
PID:9264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 9720 -ip 9720
1⤵
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 9800 -ip 9800
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5948 -ip 5948
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3556 -ip 3556
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1660 -ip 1660
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 9868 -ip 9868
1⤵
PID:9720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5508 -ip 5508
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 10140 -ip 10140
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4172 -ip 4172
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4132 -ip 4132
1⤵
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 612 -ip 612
1⤵
PID:10716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 9692 -ip 9692
1⤵
PID:10940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1552 -ip 1552
1⤵
PID:11052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 10684 -ip 10684
1⤵
PID:11252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 10780 -ip 10780
1⤵
PID:10716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 10868 -ip 10868
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 10912 -ip 10912
1⤵
PID:10936

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:2788

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:7872

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:5284

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000114 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:9388

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a0 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:9668

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b4 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:2376

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:1660

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b8 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:10836

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000098 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:9296

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000a0 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:2464

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:7072

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:7244

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:10912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:9692

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:10928

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
1⤵
- Suspicious behavior: LoadsDriver
PID:10948

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
1⤵
PID:612

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
PID:11128

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e4 00000084
1⤵
PID:11240

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:3116

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b8 00000084
1⤵
PID:1412

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000098 00000084
1⤵
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-508-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/540-32-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/540-13-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/540-12-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/540-29-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2024-10-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2024-2-0x00000000055F0000-0x0000000005666000-memory.dmp

Filesize
472KB

Download
memory/2024-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000000820000-0x0000000000C8E000-memory.dmp

Filesize
4.4MB

Download
memory/2024-9-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2024-4-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2024-3-0x0000000005770000-0x000000000578E000-memory.dmp

Filesize
120KB

Download
memory/2024-506-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2960-17-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/2960-16-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/2960-18-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2960-15-0x0000000005BF0000-0x0000000006208000-memory.dmp

Filesize
6.1MB

Download
memory/2960-20-0x0000000005800000-0x000000000583C000-memory.dmp

Filesize
240KB

Download
memory/2960-21-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2960-33-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/2960-22-0x0000000005840000-0x000000000588C000-memory.dmp

Filesize
304KB

Download
memory/3412-7-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/3412-23-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/3412-19-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/3412-6-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/3412-5-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3412-507-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/4628-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads