99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe
Size

184KB
MD5

bda413530c7de5ee69f6e32e83c21493
SHA1

59eebbcf7d0e3eb7874d5f971bd6e052256d5beb
SHA256

99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d
SHA512

77e6345add3d37ff2cea1a53d1c3a1ad7a38a42d29beaed54c594ed56e3d1ac5d300d4f77447d04df47f1bfa9de801051f72f74d8a57265fc083be90db3669bf
SSDEEP

3072:umRMJ8o2I7HQZoVyrjJ8fCRhlvnqXqGuy:um3o7YoVG86RhlPqXqGu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

Temp4044.exeLocal51917.exeTemp29555.exeLocal64717.exeAppData64717.exeLocal36211.exeTemp49947.exeAppData51952.exeLocal50068.exeAdmin25258.exeAppData53908.exeAppData8044.exeLocal41485.exeLocal35355.exeTemp58433.exeAdmin14124.exeAppData8976.exeAppData11820.exeLocal38363.exeUsers12588.exeAdmin33450.exeAdmin13584.exeAppData10298.exeAppData16237.exeLocal49101.exeAppData17197.exeTemp8266.exeAdmin17005.exeLocal62676.exeLocal16739.exeAppData27507.exeUsers21453.exeAdmin19376.exeAppData52781.exeLocal4768.exeAdmin5775.exeAppData17434.exeAdmin16077.exe28656.exeAppData26579.exeUsers26579.exeAdmin29424.exeUsers62864.exeAppData14540.exeAppData17923.exeAdmin33264.exeAdmin31379.exeLocal42123.exeAdmin51053.exeAdmin18381.exeAppData32147.exeAppData45883.exeUsers1935.exeAppData1935.exeAppData19149.exeUsers16653.exeLocal33866.exeLocal14000.exeAdmin43579.exeAppData64628.exeTemp56916.exeLocal10714.exeAdmin63092.exe17180.exe

pid	Process
3708	Temp4044.exe
4288	Local51917.exe
2432	Temp29555.exe
4896	Local64717.exe
536	AppData64717.exe
2064	Local36211.exe
472	Temp49947.exe
1308	AppData51952.exe
5084	Local50068.exe
1500	Admin25258.exe
1044	AppData53908.exe
3132	AppData8044.exe
912	Local41485.exe
3908	Local35355.exe
3800	Temp58433.exe
4552	Admin14124.exe
2232	AppData8976.exe
456	AppData11820.exe
4700	Local38363.exe
4124	Users12588.exe
2892	Admin33450.exe
1796	Admin13584.exe
1408	AppData10298.exe
3008	AppData16237.exe
1128	Local49101.exe
2580	AppData17197.exe
952	Temp8266.exe
4740	Admin17005.exe
4028	Local62676.exe
1512	Local16739.exe
64	AppData27507.exe
1280	Users21453.exe
1664	Admin19376.exe
704	AppData52781.exe
4480	Local4768.exe
4024	Admin5775.exe
2328	AppData17434.exe
468	Admin16077.exe
4748	28656.exe
116	AppData26579.exe
3056	Users26579.exe
408	Admin29424.exe
3540	Users62864.exe
4696	AppData14540.exe
3456	AppData17923.exe
4516	Admin33264.exe
1924	Admin31379.exe
4140	Local42123.exe
4376	Admin51053.exe
2368	Admin18381.exe
1156	AppData32147.exe
3032	AppData45883.exe
3172	Users1935.exe
3588	AppData1935.exe
4572	AppData19149.exe
2936	Users16653.exe
4804	Local33866.exe
1900	Local14000.exe
3196	Admin43579.exe
4056	AppData64628.exe
5000	Temp56916.exe
1004	Local10714.exe
548	Admin63092.exe
2180	17180.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4664	2252	WerFault.exe	180
11456	4812	WerFault.exe	227
18296	6388	WerFault.exe	260
18396	16836	WerFault.exe	868
5796	7100	WerFault.exe	278
17508	5708	WerFault.exe	247
17932	6420	WerFault.exe	282

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Admin50612.exeAppData39964.exe3237.exeAppData889.exeUsers6562.exeLocal8610.exeUsers8882.exeAdmin39251.exeAdmin31071.exeAppData39490.exe32726.exe30723.exe32997.exe11698.exeAdmin30934.exeUsers52889.exeUsers55300.exeAppData42383.exeAppData57497.exeAppData46410.exeAdmin5566.exe578.exe11218.exeAdmin2553.exeUsers11637.exeUsers23715.exeAdmin29349.exeAppData1935.exeAdmin30245.exeAppData21564.exeUsers51124.exe28656.exe6751.exeAdmin27132.exeUsers46442.exeUsers14972.exeLocal50068.exeAdmin11218.exeAdmin32726.exeAdmin9637.exeAdmin6853.exeAdmin53098.exeAdmin38015.exeUsers24364.exeAdmin23203.exeAdmin30723.exeAdmin33264.exe58230.exeUsers58819.exeUsers7707.exeAdmin9669.exeAdmin64806.exeAppData54638.exe44480.exeAppData64864.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin50612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData39964.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3237.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData889.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users6562.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Local8610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users8882.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin39251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin31071.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData39490.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30723.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11698.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin30934.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users52889.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users55300.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData42383.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData57497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData46410.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin5566.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin2553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users11637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users23715.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin29349.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData1935.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin30245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData21564.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users51124.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6751.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin27132.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users46442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users14972.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Local50068.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin11218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin32726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin9637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin6853.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin53098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin38015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users24364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin23203.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin30723.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin33264.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users58819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Users7707.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin9669.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admin64806.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData54638.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44480.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData64864.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

dwm.exe

description	pid	Process
Token: SeCreateGlobalPrivilege	7732	dwm.exe
Token: SeChangeNotifyPrivilege	7732	dwm.exe
Token: 33	7732	dwm.exe
Token: SeIncBasePriorityPrivilege	7732	dwm.exe
Token: SeCreateGlobalPrivilege	5692
Token: SeChangeNotifyPrivilege	5692
Token: 33	5692
Token: SeIncBasePriorityPrivilege	5692

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exeTemp4044.exeLocal51917.exeTemp29555.exeLocal64717.exeAppData64717.exeLocal36211.exeTemp49947.exeAppData51952.exeLocal50068.exeAdmin25258.exeAppData53908.exeTemp58433.exeLocal35355.exeAppData8044.exeLocal41485.exeAdmin14124.exeAppData8976.exeAppData11820.exeLocal38363.exeUsers12588.exeAdmin33450.exeAppData10298.exeAppData16237.exeAdmin13584.exeLocal16739.exeAppData17197.exeAdmin17005.exeAppData27507.exeTemp8266.exeLocal62676.exeLocal49101.exeUsers21453.exeAdmin19376.exeAppData52781.exeLocal4768.exeAdmin5775.exeAppData17434.exeAdmin16077.exe28656.exeAppData26579.exeAdmin29424.exeUsers26579.exeUsers62864.exeAppData17923.exeAdmin33264.exeAppData14540.exeAdmin51053.exeLocal42123.exeUsers1935.exeAppData64628.exeLocal14000.exeUsers16653.exeAppData45883.exeAdmin43579.exeAdmin31379.exeLocal10714.exeAppData1935.exeAdmin18381.exeAppData19149.exeAppData32147.exeTemp56916.exeLocal33866.exeAdmin63092.exe

pid	Process
2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe
3708	Temp4044.exe
4288	Local51917.exe
2432	Temp29555.exe
4896	Local64717.exe
536	AppData64717.exe
2064	Local36211.exe
472	Temp49947.exe
1308	AppData51952.exe
5084	Local50068.exe
1500	Admin25258.exe
1044	AppData53908.exe
3800	Temp58433.exe
3908	Local35355.exe
3132	AppData8044.exe
912	Local41485.exe
4552	Admin14124.exe
2232	AppData8976.exe
456	AppData11820.exe
4700	Local38363.exe
4124	Users12588.exe
2892	Admin33450.exe
1408	AppData10298.exe
3008	AppData16237.exe
1796	Admin13584.exe
1512	Local16739.exe
2580	AppData17197.exe
4740	Admin17005.exe
64	AppData27507.exe
952	Temp8266.exe
4028	Local62676.exe
1128	Local49101.exe
1280	Users21453.exe
1664	Admin19376.exe
704	AppData52781.exe
4480	Local4768.exe
4024	Admin5775.exe
2328	AppData17434.exe
468	Admin16077.exe
4748	28656.exe
116	AppData26579.exe
408	Admin29424.exe
3056	Users26579.exe
3540	Users62864.exe
3456	AppData17923.exe
4516	Admin33264.exe
4696	AppData14540.exe
4376	Admin51053.exe
4140	Local42123.exe
3172	Users1935.exe
4056	AppData64628.exe
1900	Local14000.exe
2936	Users16653.exe
3032	AppData45883.exe
3196	Admin43579.exe
1924	Admin31379.exe
1004	Local10714.exe
3588	AppData1935.exe
2368	Admin18381.exe
4572	AppData19149.exe
1156	AppData32147.exe
5000	Temp56916.exe
4804	Local33866.exe
548	Admin63092.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exeTemp4044.exeTemp29555.exeLocal51917.exeLocal64717.exeAppData64717.exeLocal36211.exeTemp49947.exeAppData51952.exeLocal50068.exeAdmin25258.exeAppData53908.exe

description	pid	Process	procid_target
PID 2468 wrote to memory of 3708	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	86
PID 2468 wrote to memory of 3708	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	86
PID 2468 wrote to memory of 3708	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	86
PID 3708 wrote to memory of 4288	3708	Temp4044.exe	92
PID 3708 wrote to memory of 4288	3708	Temp4044.exe	92
PID 3708 wrote to memory of 4288	3708	Temp4044.exe	92
PID 2468 wrote to memory of 2432	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	93
PID 2468 wrote to memory of 2432	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	93
PID 2468 wrote to memory of 2432	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	93
PID 2432 wrote to memory of 4896	2432	Temp29555.exe	96
PID 2432 wrote to memory of 4896	2432	Temp29555.exe	96
PID 2432 wrote to memory of 4896	2432	Temp29555.exe	96
PID 4288 wrote to memory of 536	4288	Local51917.exe	97
PID 4288 wrote to memory of 536	4288	Local51917.exe	97
PID 4288 wrote to memory of 536	4288	Local51917.exe	97
PID 2468 wrote to memory of 472	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	98
PID 2468 wrote to memory of 472	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	98
PID 2468 wrote to memory of 472	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	98
PID 3708 wrote to memory of 2064	3708	Temp4044.exe	99
PID 3708 wrote to memory of 2064	3708	Temp4044.exe	99
PID 3708 wrote to memory of 2064	3708	Temp4044.exe	99
PID 4896 wrote to memory of 1308	4896	Local64717.exe	103
PID 4896 wrote to memory of 1308	4896	Local64717.exe	103
PID 4896 wrote to memory of 1308	4896	Local64717.exe	103
PID 2432 wrote to memory of 5084	2432	Temp29555.exe	104
PID 2432 wrote to memory of 5084	2432	Temp29555.exe	104
PID 2432 wrote to memory of 5084	2432	Temp29555.exe	104
PID 536 wrote to memory of 1500	536	AppData64717.exe	105
PID 536 wrote to memory of 1500	536	AppData64717.exe	105
PID 536 wrote to memory of 1500	536	AppData64717.exe	105
PID 4288 wrote to memory of 1044	4288	Local51917.exe	106
PID 4288 wrote to memory of 1044	4288	Local51917.exe	106
PID 4288 wrote to memory of 1044	4288	Local51917.exe	106
PID 2064 wrote to memory of 3132	2064	Local36211.exe	107
PID 2064 wrote to memory of 3132	2064	Local36211.exe	107
PID 2064 wrote to memory of 3132	2064	Local36211.exe	107
PID 472 wrote to memory of 912	472	Temp49947.exe	108
PID 472 wrote to memory of 912	472	Temp49947.exe	108
PID 472 wrote to memory of 912	472	Temp49947.exe	108
PID 3708 wrote to memory of 3908	3708	Temp4044.exe	109
PID 3708 wrote to memory of 3908	3708	Temp4044.exe	109
PID 3708 wrote to memory of 3908	3708	Temp4044.exe	109
PID 2468 wrote to memory of 3800	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	110
PID 2468 wrote to memory of 3800	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	110
PID 2468 wrote to memory of 3800	2468	99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe	110
PID 1308 wrote to memory of 4552	1308	AppData51952.exe	111
PID 1308 wrote to memory of 4552	1308	AppData51952.exe	111
PID 1308 wrote to memory of 4552	1308	AppData51952.exe	111
PID 4896 wrote to memory of 2232	4896	Local64717.exe	112
PID 4896 wrote to memory of 2232	4896	Local64717.exe	112
PID 4896 wrote to memory of 2232	4896	Local64717.exe	112
PID 5084 wrote to memory of 456	5084	Local50068.exe	113
PID 5084 wrote to memory of 456	5084	Local50068.exe	113
PID 5084 wrote to memory of 456	5084	Local50068.exe	113
PID 2432 wrote to memory of 4700	2432	Temp29555.exe	114
PID 2432 wrote to memory of 4700	2432	Temp29555.exe	114
PID 2432 wrote to memory of 4700	2432	Temp29555.exe	114
PID 1500 wrote to memory of 4124	1500	Admin25258.exe	115
PID 1500 wrote to memory of 4124	1500	Admin25258.exe	115
PID 1500 wrote to memory of 4124	1500	Admin25258.exe	115
PID 1044 wrote to memory of 2892	1044	AppData53908.exe	116
PID 1044 wrote to memory of 2892	1044	AppData53908.exe	116
PID 1044 wrote to memory of 2892	1044	AppData53908.exe	116
PID 536 wrote to memory of 1796	536	AppData64717.exe	117

C:\Users\Admin\AppData\Local\Temp\99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe
"C:\Users\Admin\AppData\Local\Temp\99c39ce92eb251cd79ba65a1d43f193a5678509b4fd852a761c269fadda6180d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp4044.exe
  C:\Users\Admin\AppData\Local\Temp4044.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Users\Admin\AppData\Local51917.exe
    C:\Users\Admin\AppData\Local51917.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData64717.exe
      C:\Users\Admin\AppData64717.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Users\Admin25258.exe
        
        C:\Users\Admin25258.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Users12588.exe
        
        C:\Users12588.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4124
        
        C:\28656.exe
        
        C:\28656.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4748
        
        C:\19609.exe
        
        C:\19609.exe
        8⤵
        
        PID:3552
        
        C:\29244.exe
        
        C:\29244.exe
        9⤵
        
        PID:6156
        
        C:\56892.exe
        
        C:\56892.exe
        10⤵
        
        PID:8568
        
        C:\18684.exe
        
        C:\18684.exe
        10⤵
        
        PID:12212
        
        C:\15852.exe
        
        C:\15852.exe
        10⤵
        
        PID:3580
        
        C:\14444.exe
        
        C:\14444.exe
        10⤵
        
        PID:672
        
        C:\43687.exe
        
        C:\43687.exe
        9⤵
        
        PID:7776
        
        C:\16012.exe
        
        C:\16012.exe
        9⤵
        
        PID:13108
        
        C:\22876.exe
        
        C:\22876.exe
        9⤵
        
        PID:16320
        
        C:\53506.exe
        
        C:\53506.exe
        9⤵
        
        PID:7976
        
        C:\31298.exe
        
        C:\31298.exe
        8⤵
        
        PID:6976
        
        C:\51463.exe
        
        C:\51463.exe
        8⤵
        
        PID:8960
        
        C:\21388.exe
        
        C:\21388.exe
        8⤵
        
        PID:12676
        
        C:\64573.exe
        
        C:\64573.exe
        8⤵
        
        PID:16092
        
        C:\3237.exe
        
        C:\3237.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\31071.exe
        
        C:\31071.exe
        7⤵
        
        PID:4464
        
        C:\12222.exe
        
        C:\12222.exe
        8⤵
        
        PID:6204
        
        C:\10971.exe
        
        C:\10971.exe
        9⤵
        
        PID:9108
        
        C:\13308.exe
        
        C:\13308.exe
        9⤵
        
        PID:11556
        
        C:\52365.exe
        
        C:\52365.exe
        9⤵
        
        PID:15164
        
        C:\61590.exe
        
        C:\61590.exe
        9⤵
        
        PID:1416
        
        C:\64131.exe
        
        C:\64131.exe
        8⤵
        
        PID:8940
        
        C:\28579.exe
        
        C:\28579.exe
        8⤵
        
        PID:11928
        
        C:\58230.exe
        
        C:\58230.exe
        8⤵
        
        PID:14944
        
        C:\23324.exe
        
        C:\23324.exe
        8⤵
        
        PID:5276
        
        C:\11401.exe
        
        C:\11401.exe
        7⤵
        
        PID:7112
        
        C:\30419.exe
        
        C:\30419.exe
        7⤵
        
        PID:7564
        
        C:\41338.exe
        
        C:\41338.exe
        7⤵
        
        PID:12740
        
        C:\48037.exe
        
        C:\48037.exe
        7⤵
        
        PID:16156
        
        C:\38121.exe
        
        C:\38121.exe
        7⤵
        
        PID:18256
        
        C:\54058.exe
        
        C:\54058.exe
        7⤵
        
        PID:17464
      - C:\Users26579.exe
        
        C:\Users26579.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\28057.exe
        
        C:\28057.exe
        7⤵
        
        PID:3712
        
        C:\64220.exe
        
        C:\64220.exe
        8⤵
        
        PID:6172
        
        C:\47647.exe
        
        C:\47647.exe
        9⤵
        
        PID:11864
        
        C:\5957.exe
        
        C:\5957.exe
        9⤵
        
        PID:14408
        
        C:\45860.exe
        
        C:\45860.exe
        9⤵
        
        PID:5536
        
        C:\59597.exe
        
        C:\59597.exe
        9⤵
        
        PID:18112
        
        C:\51519.exe
        
        C:\51519.exe
        9⤵
        
        PID:4312
        
        C:\48480.exe
        
        C:\48480.exe
        8⤵
        
        PID:8952
        
        C:\40941.exe
        
        C:\40941.exe
        8⤵
        
        PID:11760
        
        C:\58230.exe
        
        C:\58230.exe
        8⤵
        
        PID:15080
        
        C:\52925.exe
        
        C:\52925.exe
        8⤵
        
        PID:16516
        
        C:\45891.exe
        
        C:\45891.exe
        7⤵
        
        PID:6500
        
        C:\13698.exe
        
        C:\13698.exe
        8⤵
        
        PID:7920
        
        C:\3017.exe
        
        C:\3017.exe
        8⤵
        
        PID:12972
        
        C:\59533.exe
        
        C:\59533.exe
        8⤵
        
        PID:16288
        
        C:\37590.exe
        
        C:\37590.exe
        8⤵
        
        PID:18268
        
        C:\58973.exe
        
        C:\58973.exe
        8⤵
        
        PID:18128
        
        C:\3606.exe
        
        C:\3606.exe
        8⤵
        
        PID:6372
        
        C:\27923.exe
        
        C:\27923.exe
        7⤵
        
        PID:9556
        
        C:\28691.exe
        
        C:\28691.exe
        7⤵
        
        PID:11456
        
        C:\49890.exe
        
        C:\49890.exe
        7⤵
        
        PID:15696
        
        C:\35527.exe
        
        C:\35527.exe
        7⤵
        
        PID:16788
      - C:\Users42861.exe
        
        C:\Users42861.exe
        6⤵
        
        PID:3168
        
        C:\31356.exe
        
        C:\31356.exe
        7⤵
        
        PID:5448
        
        C:\32409.exe
        
        C:\32409.exe
        8⤵
        
        PID:8704
        
        C:\41564.exe
        
        C:\41564.exe
        8⤵
        
        PID:10672
        
        C:\30569.exe
        
        C:\30569.exe
        8⤵
        
        PID:15568
        
        C:\18767.exe
        
        C:\18767.exe
        8⤵
        
        PID:17712
        
        C:\43714.exe
        
        C:\43714.exe
        8⤵
        
        PID:6252
        
        C:\30690.exe
        
        C:\30690.exe
        7⤵
        
        PID:8904
        
        C:\28579.exe
        
        C:\28579.exe
        7⤵
        
        PID:11916
        
        C:\58230.exe
        
        C:\58230.exe
        7⤵
        
        PID:15328
        
        C:\23324.exe
        
        C:\23324.exe
        7⤵
        
        PID:17512
        
        C:\16607.exe
        
        C:\16607.exe
        7⤵
        
        PID:18088
        
        C:\61047.exe
        
        C:\61047.exe
        7⤵
        
        PID:7084
      - C:\Users65491.exe
        
        C:\Users65491.exe
        6⤵
        
        PID:6488
      - C:\Users4345.exe
        
        C:\Users4345.exe
        6⤵
        
        PID:8348
      - C:\Users63261.exe
        
        C:\Users63261.exe
        6⤵
        
        PID:12280
      - C:\Users62150.exe
        
        C:\Users62150.exe
        6⤵
        
        PID:15100
      - C:\Users5230.exe
        
        C:\Users5230.exe
        6⤵
        
        PID:17444
      - C:\Users37831.exe
        
        C:\Users37831.exe
        6⤵
        
        PID:18164
    - - C:\Users\Admin13584.exe
        
        C:\Users\Admin13584.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
      - C:\Users1935.exe
        
        C:\Users1935.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3172
        
        C:\45919.exe
        
        C:\45919.exe
        7⤵
        
        PID:2100
        
        C:\62684.exe
        
        C:\62684.exe
        8⤵
        
        PID:6240
        
        C:\10485.exe
        
        C:\10485.exe
        9⤵
        
        PID:11576
        
        C:\41701.exe
        
        C:\41701.exe
        9⤵
        
        PID:12532
        
        C:\51716.exe
        
        C:\51716.exe
        9⤵
        
        PID:16580
        
        C:\40031.exe
        
        C:\40031.exe
        8⤵
        
        PID:8992
        
        C:\6540.exe
        
        C:\6540.exe
        8⤵
        
        PID:11708
        
        C:\16917.exe
        
        C:\16917.exe
        8⤵
        
        PID:15348
        
        C:\23324.exe
        
        C:\23324.exe
        8⤵
        
        PID:2952
        
        C:\18309.exe
        
        C:\18309.exe
        8⤵
        
        PID:17036
        
        C:\58769.exe
        
        C:\58769.exe
        8⤵
        
        PID:7496
        
        C:\45891.exe
        
        C:\45891.exe
        7⤵
        
        PID:6508
        
        C:\57593.exe
        
        C:\57593.exe
        8⤵
        
        PID:9028
        
        C:\28098.exe
        
        C:\28098.exe
        8⤵
        
        PID:12624
        
        C:\30860.exe
        
        C:\30860.exe
        8⤵
        
        PID:16040
        
        C:\38669.exe
        
        C:\38669.exe
        8⤵
        
        PID:18112
        
        C:\62609.exe
        
        C:\62609.exe
        8⤵
        
        PID:18292
        
        C:\7145.exe
        
        C:\7145.exe
        7⤵
        
        PID:8392
        
        C:\22925.exe
        
        C:\22925.exe
        7⤵
        
        PID:1492
        
        C:\61620.exe
        
        C:\61620.exe
        7⤵
        
        PID:14528
        
        C:\7557.exe
        
        C:\7557.exe
        7⤵
        
        PID:17500
      - C:\Users23391.exe
        
        C:\Users23391.exe
        6⤵
        
        PID:5376
        
        C:\20252.exe
        
        C:\20252.exe
        7⤵
        
        PID:6804
        
        C:\37829.exe
        
        C:\37829.exe
        7⤵
        
        PID:10764
        
        C:\13731.exe
        
        C:\13731.exe
        7⤵
        
        PID:13612
        
        C:\25837.exe
        
        C:\25837.exe
        7⤵
        
        PID:17380
      - C:\Users20486.exe
        
        C:\Users20486.exe
        6⤵
        
        PID:7744
      - C:\Users12882.exe
        
        C:\Users12882.exe
        6⤵
        
        PID:10668
      - C:\Users56500.exe
        
        C:\Users56500.exe
        6⤵
        
        PID:15128
      - C:\Users21093.exe
        
        C:\Users21093.exe
        6⤵
        
        PID:2744
      - C:\Users13844.exe
        
        C:\Users13844.exe
        6⤵
        
        PID:6112
    - - C:\Users\Admin43579.exe
        
        C:\Users\Admin43579.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3196
      - C:\Users55260.exe
        
        C:\Users55260.exe
        6⤵
        
        PID:4564
        
        C:\51865.exe
        
        C:\51865.exe
        7⤵
        
        PID:7692
        
        C:\52387.exe
        
        C:\52387.exe
        7⤵
        
        PID:7536
        
        C:\32774.exe
        
        C:\32774.exe
        7⤵
        
        PID:10092
        
        C:\59789.exe
        
        C:\59789.exe
        7⤵
        
        PID:14976
        
        C:\37628.exe
        
        C:\37628.exe
        7⤵
        
        PID:4448
        
        C:\55709.exe
        
        C:\55709.exe
        7⤵
        
        PID:6068
      - C:\Users38050.exe
        
        C:\Users38050.exe
        6⤵
        
        PID:7992
      - C:\Users8233.exe
        
        C:\Users8233.exe
        6⤵
        
        PID:10356
      - C:\Users9269.exe
        
        C:\Users9269.exe
        6⤵
        
        PID:14228
      - C:\Users22547.exe
        
        C:\Users22547.exe
        6⤵
        
        PID:15916
    - - C:\Users\Admin42992.exe
        
        C:\Users\Admin42992.exe
        5⤵
        
        PID:5396
      - C:\Users39452.exe
        
        C:\Users39452.exe
        6⤵
        
        PID:5204
      - C:\Users39074.exe
        
        C:\Users39074.exe
        6⤵
        
        PID:9768
      - C:\Users33385.exe
        
        C:\Users33385.exe
        6⤵
        
        PID:12604
      - C:\Users25398.exe
        
        C:\Users25398.exe
        6⤵
        
        PID:15664
      - C:\Users21093.exe
        
        C:\Users21093.exe
        6⤵
        
        PID:16428
    - - C:\Users\Admin51290.exe
        
        C:\Users\Admin51290.exe
        5⤵
        
        PID:7936
    - - C:\Users\Admin38015.exe
        
        C:\Users\Admin38015.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9364
    - - C:\Users\Admin50828.exe
        
        C:\Users\Admin50828.exe
        5⤵
        
        PID:14252
    - - C:\Users\Admin1547.exe
        
        C:\Users\Admin1547.exe
        5⤵
        
        PID:16416
    - - C:\Users\Admin13717.exe
        
        C:\Users\Admin13717.exe
        5⤵
        
        PID:5296
  - - C:\Users\Admin\AppData53908.exe
      C:\Users\Admin\AppData53908.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Users\Admin33450.exe
        
        C:\Users\Admin33450.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2892
      - C:\Users62864.exe
        
        C:\Users62864.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3540
        
        C:\52063.exe
        
        C:\52063.exe
        7⤵
        
        PID:644
        
        C:\61916.exe
        
        C:\61916.exe
        8⤵
        
        PID:6184
        
        C:\9464.exe
        
        C:\9464.exe
        9⤵
        
        PID:9240
        
        C:\32997.exe
        
        C:\32997.exe
        9⤵
        
        PID:13216
        
        C:\47524.exe
        
        C:\47524.exe
        9⤵
        
        PID:15528
        
        C:\40980.exe
        
        C:\40980.exe
        9⤵
        
        PID:2660
        
        C:\64131.exe
        
        C:\64131.exe
        8⤵
        
        PID:8932
        
        C:\28579.exe
        
        C:\28579.exe
        8⤵
        
        PID:11944
        
        C:\58230.exe
        
        C:\58230.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\43060.exe
        
        C:\43060.exe
        8⤵
        
        PID:2808
        
        C:\20447.exe
        
        C:\20447.exe
        8⤵
        
        PID:5432
        
        C:\63203.exe
        
        C:\63203.exe
        7⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 636
        8⤵
        Program crash
        
        PID:5796
        
        C:\24553.exe
        
        C:\24553.exe
        7⤵
        
        PID:8684
        
        C:\50003.exe
        
        C:\50003.exe
        7⤵
        
        PID:12756
        
        C:\64573.exe
        
        C:\64573.exe
        7⤵
        
        PID:16068
        
        C:\31327.exe
        
        C:\31327.exe
        7⤵
        
        PID:11668
      - C:\Users25695.exe
        
        C:\Users25695.exe
        6⤵
        
        PID:4396
        
        C:\46073.exe
        
        C:\46073.exe
        7⤵
        
        PID:5156
        
        C:\32153.exe
        
        C:\32153.exe
        8⤵
        
        PID:10724
        
        C:\45222.exe
        
        C:\45222.exe
        8⤵
        
        PID:2112
        
        C:\10220.exe
        
        C:\10220.exe
        8⤵
        
        PID:17220
        
        C:\15615.exe
        
        C:\15615.exe
        7⤵
        
        PID:8888
        
        C:\28579.exe
        
        C:\28579.exe
        7⤵
        
        PID:11924
        
        C:\25558.exe
        
        C:\25558.exe
        7⤵
        
        PID:14412
        
        C:\23324.exe
        
        C:\23324.exe
        7⤵
        
        PID:5532
      - C:\Users44266.exe
        
        C:\Users44266.exe
        6⤵
        
        PID:7128
        
        C:\7707.exe
        
        C:\7707.exe
        7⤵
        
        PID:7948
        
        C:\32706.exe
        
        C:\32706.exe
        7⤵
        
        PID:12668
        
        C:\1836.exe
        
        C:\1836.exe
        7⤵
        
        PID:16212
      - C:\Users30419.exe
        
        C:\Users30419.exe
        6⤵
        
        PID:8656
      - C:\Users41338.exe
        
        C:\Users41338.exe
        6⤵
        
        PID:12724
      - C:\Users48037.exe
        
        C:\Users48037.exe
        6⤵
        
        PID:16116
      - C:\Users38381.exe
        
        C:\Users38381.exe
        6⤵
        
        PID:18332
    - - C:\Users\Admin31379.exe
        
        C:\Users\Admin31379.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
      - C:\Users22396.exe
        
        C:\Users22396.exe
        6⤵
        
        PID:2352
        
        C:\31071.exe
        
        C:\31071.exe
        7⤵
        
        PID:6280
        
        C:\57380.exe
        
        C:\57380.exe
        8⤵
        
        PID:5848
        
        C:\18981.exe
        
        C:\18981.exe
        7⤵
        
        PID:9420
        
        C:\30723.exe
        
        C:\30723.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13276
        
        C:\53389.exe
        
        C:\53389.exe
        7⤵
        
        PID:15552
        
        C:\8572.exe
        
        C:\8572.exe
        7⤵
        
        PID:18304
      - C:\Users31999.exe
        
        C:\Users31999.exe
        6⤵
        
        PID:7684
      - C:\Users25036.exe
        
        C:\Users25036.exe
        6⤵
        
        PID:10264
      - C:\Users58963.exe
        
        C:\Users58963.exe
        6⤵
        
        PID:14284
      - C:\Users22547.exe
        
        C:\Users22547.exe
        6⤵
        
        PID:16540
      - C:\Users43487.exe
        
        C:\Users43487.exe
        6⤵
        
        PID:4736
    - - C:\Users\Admin52778.exe
        
        C:\Users\Admin52778.exe
        5⤵
        
        PID:5312
      - C:\Users38876.exe
        
        C:\Users38876.exe
        6⤵
        
        PID:6636
      - C:\Users6018.exe
        
        C:\Users6018.exe
        6⤵
        
        PID:9656
      - C:\Users33385.exe
        
        C:\Users33385.exe
        6⤵
        
        PID:12752
      - C:\Users9554.exe
        
        C:\Users9554.exe
        6⤵
        
        PID:16224
    - - C:\Users\Admin64371.exe
        
        C:\Users\Admin64371.exe
        5⤵
        
        PID:7380
    - - C:\Users\Admin2553.exe
        
        C:\Users\Admin2553.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10132
    - - C:\Users\Admin33762.exe
        
        C:\Users\Admin33762.exe
        5⤵
        
        PID:14236
    - - C:\Users\Admin23077.exe
        
        C:\Users\Admin23077.exe
        5⤵
        
        PID:16504
  - - C:\Users\Admin\AppData10298.exe
      C:\Users\Admin\AppData10298.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1408
    - - C:\Users\Admin29424.exe
        
        C:\Users\Admin29424.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:408
      - C:\Users50527.exe
        
        C:\Users50527.exe
        6⤵
        
        PID:4040
        
        C:\5691.exe
        
        C:\5691.exe
        7⤵
        
        PID:5572
        
        C:\14363.exe
        
        C:\14363.exe
        8⤵
        
        PID:10320
        
        C:\39362.exe
        
        C:\39362.exe
        8⤵
        
        PID:14164
        
        C:\25347.exe
        
        C:\25347.exe
        8⤵
        
        PID:15764
        
        C:\130.exe
        
        C:\130.exe
        7⤵
        
        PID:8836
        
        C:\23203.exe
        
        C:\23203.exe
        7⤵
        
        PID:11388
        
        C:\32595.exe
        
        C:\32595.exe
        7⤵
        
        PID:14552
        
        C:\49405.exe
        
        C:\49405.exe
        7⤵
        
        PID:16348
        
        C:\35115.exe
        
        C:\35115.exe
        7⤵
        
        PID:8148
        
        C:\12578.exe
        
        C:\12578.exe
        7⤵
        
        PID:5476
      - C:\Users60966.exe
        
        C:\Users60966.exe
        6⤵
        
        PID:6388
        
        C:\13698.exe
        
        C:\13698.exe
        7⤵
        
        PID:8168
        
        C:\6857.exe
        
        C:\6857.exe
        7⤵
        
        PID:12984
        
        C:\59533.exe
        
        C:\59533.exe
        7⤵
        
        PID:16280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6388 -s 672
        7⤵
        Program crash
        
        PID:18296
      - C:\Users35978.exe
        
        C:\Users35978.exe
        6⤵
        
        PID:9200
      - C:\Users22925.exe
        
        C:\Users22925.exe
        6⤵
        
        PID:12144
      - C:\Users61620.exe
        
        C:\Users61620.exe
        6⤵
        
        PID:14844
      - C:\Users6789.exe
        
        C:\Users6789.exe
        6⤵
        
        PID:5192
    - - C:\Users\Admin31071.exe
        
        C:\Users\Admin31071.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
      - C:\Users5499.exe
        
        C:\Users5499.exe
        6⤵
        
        PID:5972
        
        C:\38847.exe
        
        C:\38847.exe
        7⤵
        
        PID:9392
        
        C:\16988.exe
        
        C:\16988.exe
        7⤵
        
        PID:13284
        
        C:\47524.exe
        
        C:\47524.exe
        7⤵
        
        PID:15484
        
        C:\51776.exe
        
        C:\51776.exe
        7⤵
        
        PID:18240
        
        C:\44244.exe
        
        C:\44244.exe
        7⤵
        
        PID:6256
      - C:\Users130.exe
        
        C:\Users130.exe
        6⤵
        
        PID:8844
      - C:\Users55300.exe
        
        C:\Users55300.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:10364
      - C:\Users18453.exe
        
        C:\Users18453.exe
        6⤵
        
        PID:15516
      - C:\Users10102.exe
        
        C:\Users10102.exe
        6⤵
        
        PID:17764
      - C:\Users23914.exe
        
        C:\Users23914.exe
        6⤵
        
        PID:17452
    - - C:\Users\Admin716.exe
        
        C:\Users\Admin716.exe
        5⤵
        
        PID:6520
      - C:\Users4379.exe
        
        C:\Users4379.exe
        6⤵
        
        PID:10652
      - C:\Users62243.exe
        
        C:\Users62243.exe
        6⤵
        
        PID:3468
      - C:\Users62628.exe
        
        C:\Users62628.exe
        6⤵
        
        PID:17184
      - C:\Users56566.exe
        
        C:\Users56566.exe
        6⤵
        
        PID:7472
      - C:\Users39106.exe
        
        C:\Users39106.exe
        6⤵
        
        PID:1128
    - - C:\Users\Admin45683.exe
        
        C:\Users\Admin45683.exe
        5⤵
        
        PID:8304
    - - C:\Users\Admin43074.exe
        
        C:\Users\Admin43074.exe
        5⤵
        
        PID:11876
    - - C:\Users\Admin1419.exe
        
        C:\Users\Admin1419.exe
        5⤵
        
        PID:16332
    - - C:\Users\Admin9637.exe
        
        C:\Users\Admin9637.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:18268
    - - C:\Users\Admin60915.exe
        
        C:\Users\Admin60915.exe
        5⤵
        
        PID:5464
  - - C:\Users\Admin\AppData17923.exe
      C:\Users\Admin\AppData17923.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3456
    - - C:\Users\Admin14014.exe
        
        C:\Users\Admin14014.exe
        5⤵
        
        PID:3108
      - C:\Users34143.exe
        
        C:\Users34143.exe
        6⤵
        
        PID:7008
        
        C:\25308.exe
        
        C:\25308.exe
        7⤵
        
        PID:9432
        
        C:\12963.exe
        
        C:\12963.exe
        7⤵
        
        PID:12852
        
        C:\16085.exe
        
        C:\16085.exe
        7⤵
        
        PID:17228
      - C:\Users805.exe
        
        C:\Users805.exe
        6⤵
        
        PID:8408
      - C:\Users46442.exe
        
        C:\Users46442.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:12784
      - C:\Users7701.exe
        
        C:\Users7701.exe
        6⤵
        
        PID:16192
      - C:\Users10518.exe
        
        C:\Users10518.exe
        6⤵
        
        PID:880
    - - C:\Users\Admin39679.exe
        
        C:\Users\Admin39679.exe
        5⤵
        
        PID:7108
    - - C:\Users\Admin13033.exe
        
        C:\Users\Admin13033.exe
        5⤵
        
        PID:10032
    - - C:\Users\Admin40429.exe
        
        C:\Users\Admin40429.exe
        5⤵
        
        PID:5308
    - - C:\Users\Admin49405.exe
        
        C:\Users\Admin49405.exe
        5⤵
        
        PID:15812
    - - C:\Users\Admin46047.exe
        
        C:\Users\Admin46047.exe
        5⤵
        
        PID:5684
    - - C:\Users\Admin62089.exe
        
        C:\Users\Admin62089.exe
        5⤵
        
        PID:16400
    - - C:\Users\Admin35115.exe
        
        C:\Users\Admin35115.exe
        5⤵
        
        PID:6216
  - - C:\Users\Admin\AppData46330.exe
      C:\Users\Admin\AppData46330.exe
      4⤵
      PID:2856
    - - C:\Users\Admin60220.exe
        
        C:\Users\Admin60220.exe
        5⤵
        
        PID:7928
    - - C:\Users\Admin43615.exe
        
        C:\Users\Admin43615.exe
        5⤵
        
        PID:9428
    - - C:\Users\Admin53098.exe
        
        C:\Users\Admin53098.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:14192
    - - C:\Users\Admin31213.exe
        
        C:\Users\Admin31213.exe
        5⤵
        
        PID:16440
    - - C:\Users\Admin40212.exe
        
        C:\Users\Admin40212.exe
        5⤵
        
        PID:5788
  - - C:\Users\Admin\AppData11589.exe
      C:\Users\Admin\AppData11589.exe
      4⤵
      PID:7432
  - - C:\Users\Admin\AppData42383.exe
      C:\Users\Admin\AppData42383.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:10452
  - - C:\Users\Admin\AppData53163.exe
      C:\Users\Admin\AppData53163.exe
      4⤵
      PID:13916
  - - C:\Users\Admin\AppData47514.exe
      C:\Users\Admin\AppData47514.exe
      4⤵
      PID:16764
  - - C:\Users\Admin\AppData52606.exe
      C:\Users\Admin\AppData52606.exe
      4⤵
      PID:7272
- - C:\Users\Admin\AppData\Local36211.exe
    C:\Users\Admin\AppData\Local36211.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Users\Admin\AppData8044.exe
      C:\Users\Admin\AppData8044.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3132
    - - C:\Users\Admin17005.exe
        
        C:\Users\Admin17005.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4740
      - C:\Users16653.exe
        
        C:\Users16653.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\39417.exe
        
        C:\39417.exe
        7⤵
        
        PID:4616
        
        C:\23801.exe
        
        C:\23801.exe
        8⤵
        
        PID:2252
        
        C:\39074.exe
        
        C:\39074.exe
        8⤵
        
        PID:9708
        
        C:\33385.exe
        
        C:\33385.exe
        8⤵
        
        PID:12816
        
        C:\9554.exe
        
        C:\9554.exe
        8⤵
        
        PID:4648
        
        C:\2341.exe
        
        C:\2341.exe
        8⤵
        
        PID:5728
        
        C:\42905.exe
        
        C:\42905.exe
        8⤵
        
        PID:5856
        
        C:\14210.exe
        
        C:\14210.exe
        7⤵
        
        PID:7544
        
        C:\26790.exe
        
        C:\26790.exe
        7⤵
        
        PID:9628
        
        C:\29581.exe
        
        C:\29581.exe
        7⤵
        
        PID:13920
        
        C:\22547.exe
        
        C:\22547.exe
        7⤵
        
        PID:16548
        
        C:\4374.exe
        
        C:\4374.exe
        7⤵
        
        PID:16428
      - C:\Users6562.exe
        
        C:\Users6562.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\23801.exe
        
        C:\23801.exe
        7⤵
        
        PID:6872
        
        C:\31734.exe
        
        C:\31734.exe
        8⤵
        
        PID:15872
        
        C:\61030.exe
        
        C:\61030.exe
        8⤵
        
        PID:17892
        
        C:\10385.exe
        
        C:\10385.exe
        8⤵
        
        PID:6292
        
        C:\54726.exe
        
        C:\54726.exe
        7⤵
        
        PID:9844
        
        C:\16940.exe
        
        C:\16940.exe
        7⤵
        
        PID:12908
        
        C:\9554.exe
        
        C:\9554.exe
        7⤵
        
        PID:376
        
        C:\10518.exe
        
        C:\10518.exe
        7⤵
        
        PID:6696
      - C:\Users58506.exe
        
        C:\Users58506.exe
        6⤵
        
        PID:7360
      - C:\Users11218.exe
        
        C:\Users11218.exe
        6⤵
        
        PID:9676
      - C:\Users20915.exe
        
        C:\Users20915.exe
        6⤵
        
        PID:13872
      - C:\Users6012.exe
        
        C:\Users6012.exe
        6⤵
        
        PID:3680
      - C:\Users22111.exe
        
        C:\Users22111.exe
        6⤵
        
        PID:9548
    - - C:\Users\Admin63092.exe
        
        C:\Users\Admin63092.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:548
      - C:\Users7870.exe
        
        C:\Users7870.exe
        6⤵
        
        PID:5252
        
        C:\33017.exe
        
        C:\33017.exe
        7⤵
        
        PID:6220
        
        C:\44480.exe
        
        C:\44480.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\17105.exe
        
        C:\17105.exe
        8⤵
        
        PID:7620
        
        C:\46957.exe
        
        C:\46957.exe
        7⤵
        
        PID:10624
        
        C:\10162.exe
        
        C:\10162.exe
        7⤵
        
        PID:14116
        
        C:\8313.exe
        
        C:\8313.exe
        7⤵
        
        PID:16952
        
        C:\36911.exe
        
        C:\36911.exe
        7⤵
        
        PID:8104
        
        C:\3964.exe
        
        C:\3964.exe
        7⤵
        
        PID:8148
      - C:\Users64096.exe
        
        C:\Users64096.exe
        6⤵
        
        PID:7604
      - C:\Users61395.exe
        
        C:\Users61395.exe
        6⤵
        
        PID:11092
      - C:\Users62644.exe
        
        C:\Users62644.exe
        6⤵
        
        PID:14892
      - C:\Users29349.exe
        
        C:\Users29349.exe
        6⤵
        
        PID:2960
      - C:\Users23272.exe
        
        C:\Users23272.exe
        6⤵
        
        PID:7184
    - - C:\Users\Admin52970.exe
        
        C:\Users\Admin52970.exe
        5⤵
        
        PID:5492
      - C:\Users23801.exe
        
        C:\Users23801.exe
        6⤵
        
        PID:1504
      - C:\Users1513.exe
        
        C:\Users1513.exe
        6⤵
        
        PID:11156
      - C:\Users30230.exe
        
        C:\Users30230.exe
        6⤵
        
        PID:13404
      - C:\Users8313.exe
        
        C:\Users8313.exe
        6⤵
        
        PID:16972
      - C:\Users21093.exe
        
        C:\Users21093.exe
        6⤵
        
        PID:16900
      - C:\Users4732.exe
        
        C:\Users4732.exe
        6⤵
        
        PID:6444
    - - C:\Users\Admin44688.exe
        
        C:\Users\Admin44688.exe
        5⤵
        
        PID:7956
    - - C:\Users\Admin54551.exe
        
        C:\Users\Admin54551.exe
        5⤵
        
        PID:9648
    - - C:\Users\Admin33762.exe
        
        C:\Users\Admin33762.exe
        5⤵
        
        PID:14008
    - - C:\Users\Admin23077.exe
        
        C:\Users\Admin23077.exe
        5⤵
        
        PID:16608
    - - C:\Users\Admin64526.exe
        
        C:\Users\Admin64526.exe
        5⤵
        
        PID:16960
  - - C:\Users\Admin\AppData27507.exe
      C:\Users\Admin\AppData27507.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:64
    - - C:\Users\Admin51053.exe
        
        C:\Users\Admin51053.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4376
      - C:\Users16962.exe
        
        C:\Users16962.exe
        6⤵
        
        PID:412
        
        C:\4827.exe
        
        C:\4827.exe
        7⤵
        
        PID:8696
        
        C:\39260.exe
        
        C:\39260.exe
        7⤵
        
        PID:12412
        
        C:\65261.exe
        
        C:\65261.exe
        7⤵
        
        PID:15948
        
        C:\38669.exe
        
        C:\38669.exe
        7⤵
        
        PID:18068
        
        C:\45012.exe
        
        C:\45012.exe
        7⤵
        
        PID:17360
      - C:\Users28582.exe
        
        C:\Users28582.exe
        6⤵
        
        PID:8648
      - C:\Users11637.exe
        
        C:\Users11637.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:11644
      - C:\Users16124.exe
        
        C:\Users16124.exe
        6⤵
        
        PID:15000
      - C:\Users54781.exe
        
        C:\Users54781.exe
        6⤵
        
        PID:4524
      - C:\Users3964.exe
        
        C:\Users3964.exe
        6⤵
        
        PID:7016
    - - C:\Users\Admin23391.exe
        
        C:\Users\Admin23391.exe
        5⤵
        
        PID:5388
      - C:\Users48668.exe
        
        C:\Users48668.exe
        6⤵
        
        PID:6420
        
        C:\43964.exe
        
        C:\43964.exe
        7⤵
        
        PID:16564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 632
        7⤵
        Program crash
        
        PID:17932
      - C:\Users18981.exe
        
        C:\Users18981.exe
        6⤵
        
        PID:9380
      - C:\Users30723.exe
        
        C:\Users30723.exe
        6⤵
        
        PID:13296
      - C:\Users53389.exe
        
        C:\Users53389.exe
        6⤵
        
        PID:15488
    - - C:\Users\Admin55450.exe
        
        C:\Users\Admin55450.exe
        5⤵
        
        PID:7552
    - - C:\Users\Admin29861.exe
        
        C:\Users\Admin29861.exe
        5⤵
        
        PID:11652
    - - C:\Users\Admin9669.exe
        
        C:\Users\Admin9669.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:14360
    - - C:\Users\Admin59601.exe
        
        C:\Users\Admin59601.exe
        5⤵
        
        PID:16736
  - - C:\Users\Admin\AppData45883.exe
      C:\Users\Admin\AppData45883.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3032
    - - C:\Users\Admin5566.exe
        
        C:\Users\Admin5566.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:596
      - C:\Users48793.exe
        
        C:\Users48793.exe
        6⤵
        
        PID:7324
      - C:\Users57155.exe
        
        C:\Users57155.exe
        6⤵
        
        PID:9704
      - C:\Users23715.exe
        
        C:\Users23715.exe
        6⤵
        
        PID:13860
      - C:\Users31213.exe
        
        C:\Users31213.exe
        6⤵
        
        PID:16704
    - - C:\Users\Admin386.exe
        
        C:\Users\Admin386.exe
        5⤵
        
        PID:6784
    - - C:\Users\Admin51565.exe
        
        C:\Users\Admin51565.exe
        5⤵
        
        PID:10772
    - - C:\Users\Admin32726.exe
        
        C:\Users\Admin32726.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:14140
    - - C:\Users\Admin50612.exe
        
        C:\Users\Admin50612.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:17208
  - - C:\Users\Admin\AppData42992.exe
      C:\Users\Admin\AppData42992.exe
      4⤵
      PID:5420
    - - C:\Users\Admin1595.exe
        
        C:\Users\Admin1595.exe
        5⤵
        
        PID:7656
    - - C:\Users\Admin11301.exe
        
        C:\Users\Admin11301.exe
        5⤵
        
        PID:9912
    - - C:\Users\Admin53866.exe
        
        C:\Users\Admin53866.exe
        5⤵
        
        PID:13948
    - - C:\Users\Admin31213.exe
        
        C:\Users\Admin31213.exe
        5⤵
        
        PID:16556
    - - C:\Users\Admin38676.exe
        
        C:\Users\Admin38676.exe
        5⤵
        
        PID:5860
  - - C:\Users\Admin\AppData28124.exe
      C:\Users\Admin\AppData28124.exe
      4⤵
      PID:7416
  - - C:\Users\Admin\AppData25317.exe
      C:\Users\Admin\AppData25317.exe
      4⤵
      PID:10156
  - - C:\Users\Admin\AppData9157.exe
      C:\Users\Admin\AppData9157.exe
      4⤵
      PID:2192
  - - C:\Users\Admin\AppData52849.exe
      C:\Users\Admin\AppData52849.exe
      4⤵
      PID:17024
  - - C:\Users\Admin\AppData33980.exe
      C:\Users\Admin\AppData33980.exe
      4⤵
      PID:5776
- - C:\Users\Admin\AppData\Local35355.exe
    C:\Users\Admin\AppData\Local35355.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3908
  - - C:\Users\Admin\AppData16237.exe
      C:\Users\Admin\AppData16237.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3008
    - - C:\Users\Admin33264.exe
        
        C:\Users\Admin33264.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4516
      - C:\Users14014.exe
        
        C:\Users14014.exe
        6⤵
        
        PID:1936
        
        C:\5310.exe
        
        C:\5310.exe
        7⤵
        
        PID:6716
        
        C:\36895.exe
        
        C:\36895.exe
        8⤵
        
        PID:2332
        
        C:\62278.exe
        
        C:\62278.exe
        8⤵
        
        PID:15404
        
        C:\13955.exe
        
        C:\13955.exe
        8⤵
        
        PID:17588
        
        C:\35062.exe
        
        C:\35062.exe
        8⤵
        
        PID:5840
        
        C:\10537.exe
        
        C:\10537.exe
        7⤵
        
        PID:10056
        
        C:\30131.exe
        
        C:\30131.exe
        7⤵
        
        PID:13328
        
        C:\34521.exe
        
        C:\34521.exe
        7⤵
        
        PID:15964
        
        C:\5183.exe
        
        C:\5183.exe
        7⤵
        
        PID:18136
      - C:\Users32549.exe
        
        C:\Users32549.exe
        6⤵
        
        PID:6920
      - C:\Users19945.exe
        
        C:\Users19945.exe
        6⤵
        
        PID:9800
      - C:\Users7346.exe
        
        C:\Users7346.exe
        6⤵
        
        PID:12700
      - C:\Users889.exe
        
        C:\Users889.exe
        6⤵
        
        PID:16084
      - C:\Users46047.exe
        
        C:\Users46047.exe
        6⤵
        
        PID:17432
      - C:\Users24808.exe
        
        C:\Users24808.exe
        6⤵
        
        PID:5724
    - - C:\Users\Admin1762.exe
        
        C:\Users\Admin1762.exe
        5⤵
        
        PID:5232
      - C:\Users33017.exe
        
        C:\Users33017.exe
        6⤵
        
        PID:6288
      - C:\Users38640.exe
        
        C:\Users38640.exe
        6⤵
        
        PID:6776
      - C:\Users51124.exe
        
        C:\Users51124.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:14952
      - C:\Users21093.exe
        
        C:\Users21093.exe
        6⤵
        
        PID:1876
      - C:\Users13844.exe
        
        C:\Users13844.exe
        6⤵
        
        PID:5936
    - - C:\Users\Admin58506.exe
        
        C:\Users\Admin58506.exe
        5⤵
        
        PID:7444
      - C:\Users33127.exe
        
        C:\Users33127.exe
        6⤵
        
        PID:18396
    - - C:\Users\Admin11218.exe
        
        C:\Users\Admin11218.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10208
    - - C:\Users\Admin50298.exe
        
        C:\Users\Admin50298.exe
        5⤵
        
        PID:14084
    - - C:\Users\Admin6012.exe
        
        C:\Users\Admin6012.exe
        5⤵
        
        PID:16640
  - - C:\Users\Admin\AppData64628.exe
      C:\Users\Admin\AppData64628.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4056
    - - C:\Users\Admin55260.exe
        
        C:\Users\Admin55260.exe
        5⤵
        
        PID:1696
      - C:\Users16479.exe
        
        C:\Users16479.exe
        6⤵
        
        PID:7628
      - C:\Users13055.exe
        
        C:\Users13055.exe
        6⤵
        
        PID:9780
      - C:\Users23715.exe
        
        C:\Users23715.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:13928
      - C:\Users31213.exe
        
        C:\Users31213.exe
        6⤵
        
        PID:16404
      - C:\Users62801.exe
        
        C:\Users62801.exe
        6⤵
        
        PID:6984
    - - C:\Users\Admin31714.exe
        
        C:\Users\Admin31714.exe
        5⤵
        
        PID:6416
    - - C:\Users\Admin9676.exe
        
        C:\Users\Admin9676.exe
        5⤵
        
        PID:11060
    - - C:\Users\Admin30230.exe
        
        C:\Users\Admin30230.exe
        5⤵
        
        PID:13964
    - - C:\Users\Admin8313.exe
        
        C:\Users\Admin8313.exe
        5⤵
        
        PID:16832
  - - C:\Users\Admin\AppData37127.exe
      C:\Users\Admin\AppData37127.exe
      4⤵
      PID:5332
    - - C:\Users\Admin29535.exe
        
        C:\Users\Admin29535.exe
        5⤵
        
        PID:6536
    - - C:\Users\Admin56262.exe
        
        C:\Users\Admin56262.exe
        5⤵
        
        PID:9616
    - - C:\Users\Admin29545.exe
        
        C:\Users\Admin29545.exe
        5⤵
        
        PID:12356
    - - C:\Users\Admin9554.exe
        
        C:\Users\Admin9554.exe
        5⤵
        
        PID:16016
    - - C:\Users\Admin41270.exe
        
        C:\Users\Admin41270.exe
        5⤵
        
        PID:7048
  - - C:\Users\Admin\AppData64371.exe
      C:\Users\Admin\AppData64371.exe
      4⤵
      PID:7420
    - - C:\Users\Admin32284.exe
        
        C:\Users\Admin32284.exe
        5⤵
        
        PID:6148
    - - C:\Users\Admin27132.exe
        
        C:\Users\Admin27132.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11792
    - - C:\Users\Admin25068.exe
        
        C:\Users\Admin25068.exe
        5⤵
        
        PID:14416
    - - C:\Users\Admin23731.exe
        
        C:\Users\Admin23731.exe
        5⤵
        
        PID:1468
    - - C:\Users\Admin43213.exe
        
        C:\Users\Admin43213.exe
        5⤵
        
        PID:7892
  - - C:\Users\Admin\AppData56343.exe
      C:\Users\Admin\AppData56343.exe
      4⤵
      PID:8744
  - - C:\Users\Admin\AppData35964.exe
      C:\Users\Admin\AppData35964.exe
      4⤵
      PID:11372
  - - C:\Users\Admin\AppData28300.exe
      C:\Users\Admin\AppData28300.exe
      4⤵
      PID:15580
  - - C:\Users\Admin\AppData54638.exe
      C:\Users\Admin\AppData54638.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:17692
  - - C:\Users\Admin\AppData27269.exe
      C:\Users\Admin\AppData27269.exe
      4⤵
      PID:17480
- - C:\Users\Admin\AppData\Local16739.exe
    C:\Users\Admin\AppData\Local16739.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1512
  - - C:\Users\Admin\AppData14540.exe
      C:\Users\Admin\AppData14540.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4696
    - - C:\Users\Admin4030.exe
        
        C:\Users\Admin4030.exe
        5⤵
        
        PID:5168
      - C:\Users39452.exe
        
        C:\Users39452.exe
        6⤵
        
        PID:6740
      - C:\Users39074.exe
        
        C:\Users39074.exe
        6⤵
        
        PID:9760
      - C:\Users33385.exe
        
        C:\Users33385.exe
        6⤵
        
        PID:12720
      - C:\Users9554.exe
        
        C:\Users9554.exe
        6⤵
        
        PID:15588
      - C:\Users19449.exe
        
        C:\Users19449.exe
        6⤵
        
        PID:6344
    - - C:\Users\Admin43426.exe
        
        C:\Users\Admin43426.exe
        5⤵
        
        PID:8140
    - - C:\Users\Admin22579.exe
        
        C:\Users\Admin22579.exe
        5⤵
        
        PID:10660
    - - C:\Users\Admin51124.exe
        
        C:\Users\Admin51124.exe
        5⤵
        
        PID:14988
    - - C:\Users\Admin21093.exe
        
        C:\Users\Admin21093.exe
        5⤵
        
        PID:17068
  - - C:\Users\Admin\AppData36738.exe
      C:\Users\Admin\AppData36738.exe
      4⤵
      PID:5560
    - - C:\Users\Admin56774.exe
        
        C:\Users\Admin56774.exe
        5⤵
        
        PID:6628
    - - C:\Users\Admin52743.exe
        
        C:\Users\Admin52743.exe
        5⤵
        
        PID:10680
    - - C:\Users\Admin31766.exe
        
        C:\Users\Admin31766.exe
        5⤵
        
        PID:13372
    - - C:\Users\Admin7420.exe
        
        C:\Users\Admin7420.exe
        5⤵
        
        PID:16824
  - - C:\Users\Admin\AppData13062.exe
      C:\Users\Admin\AppData13062.exe
      4⤵
      PID:7792
  - - C:\Users\Admin\AppData48499.exe
      C:\Users\Admin\AppData48499.exe
      4⤵
      PID:9224
  - - C:\Users\Admin\AppData50298.exe
      C:\Users\Admin\AppData50298.exe
      4⤵
      PID:14100
  - - C:\Users\Admin\AppData6012.exe
      C:\Users\Admin\AppData6012.exe
      4⤵
      PID:16616
  - - C:\Users\Admin\AppData28623.exe
      C:\Users\Admin\AppData28623.exe
      4⤵
      PID:6252
- - C:\Users\Admin\AppData\Local42123.exe
    C:\Users\Admin\AppData\Local42123.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4140
  - - C:\Users\Admin\AppData55068.exe
      C:\Users\Admin\AppData55068.exe
      4⤵
      PID:3156
    - - C:\Users\Admin3224.exe
        
        C:\Users\Admin3224.exe
        5⤵
        
        PID:6952
      - C:\Users26431.exe
        
        C:\Users26431.exe
        6⤵
        
        PID:5040
      - C:\Users29214.exe
        
        C:\Users29214.exe
        6⤵
        
        PID:17940
    - - C:\Users\Admin37727.exe
        
        C:\Users\Admin37727.exe
        5⤵
        
        PID:9000
    - - C:\Users\Admin15523.exe
        
        C:\Users\Admin15523.exe
        5⤵
        
        PID:12688
    - - C:\Users\Admin7701.exe
        
        C:\Users\Admin7701.exe
        5⤵
        
        PID:16108
    - - C:\Users\Admin8214.exe
        
        C:\Users\Admin8214.exe
        5⤵
        
        PID:17608
  - - C:\Users\Admin\AppData37375.exe
      C:\Users\Admin\AppData37375.exe
      4⤵
      PID:6900
  - - C:\Users\Admin\AppData19945.exe
      C:\Users\Admin\AppData19945.exe
      4⤵
      PID:9804
  - - C:\Users\Admin\AppData7346.exe
      C:\Users\Admin\AppData7346.exe
      4⤵
      PID:12856
  - - C:\Users\Admin\AppData889.exe
      C:\Users\Admin\AppData889.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:15676
  - - C:\Users\Admin\AppData31164.exe
      C:\Users\Admin\AppData31164.exe
      4⤵
      PID:5840
- - C:\Users\Admin\AppData\Local31138.exe
    C:\Users\Admin\AppData\Local31138.exe
    3⤵
    PID:5576
  - - C:\Users\Admin\AppData39452.exe
      C:\Users\Admin\AppData39452.exe
      4⤵
      PID:6760
    - - C:\Users\Admin32921.exe
        
        C:\Users\Admin32921.exe
        5⤵
        
        PID:9832
    - - C:\Users\Admin39362.exe
        
        C:\Users\Admin39362.exe
        5⤵
        
        PID:14120
    - - C:\Users\Admin25347.exe
        
        C:\Users\Admin25347.exe
        5⤵
        
        PID:16628
  - - C:\Users\Admin\AppData39074.exe
      C:\Users\Admin\AppData39074.exe
      4⤵
      PID:9740
  - - C:\Users\Admin\AppData33385.exe
      C:\Users\Admin\AppData33385.exe
      4⤵
      PID:12612
  - - C:\Users\Admin\AppData9554.exe
      C:\Users\Admin\AppData9554.exe
      4⤵
      PID:1824
  - - C:\Users\Admin\AppData42588.exe
      C:\Users\Admin\AppData42588.exe
      4⤵
      PID:7200
- - C:\Users\Admin\AppData\Local10024.exe
    C:\Users\Admin\AppData\Local10024.exe
    3⤵
    PID:7596
- - C:\Users\Admin\AppData\Local2990.exe
    C:\Users\Admin\AppData\Local2990.exe
    3⤵
    PID:9796
- - C:\Users\Admin\AppData\Local60116.exe
    C:\Users\Admin\AppData\Local60116.exe
    3⤵
    PID:13888
- - C:\Users\Admin\AppData\Local412.exe
    C:\Users\Admin\AppData\Local412.exe
    3⤵
    PID:16668
- - C:\Users\Admin\AppData\Local63685.exe
    C:\Users\Admin\AppData\Local63685.exe
    3⤵
    PID:6460
- C:\Users\Admin\AppData\Local\Temp29555.exe
  C:\Users\Admin\AppData\Local\Temp29555.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local64717.exe
    C:\Users\Admin\AppData\Local64717.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Users\Admin\AppData51952.exe
      C:\Users\Admin\AppData51952.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Users\Admin14124.exe
        
        C:\Users\Admin14124.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4552
      - C:\Users21453.exe
        
        C:\Users21453.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\17180.exe
        
        C:\17180.exe
        7⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\14715.exe
        
        C:\14715.exe
        8⤵
        
        PID:5916
        
        C:\31071.exe
        
        C:\31071.exe
        9⤵
        
        PID:6276
        
        C:\64150.exe
        
        C:\64150.exe
        10⤵
        
        PID:16716
        
        C:\21626.exe
        
        C:\21626.exe
        10⤵
        
        PID:8028
        
        C:\46957.exe
        
        C:\46957.exe
        9⤵
        
        PID:10616
        
        C:\11698.exe
        
        C:\11698.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:13992
        
        C:\2044.exe
        
        C:\2044.exe
        9⤵
        
        PID:16728
        
        C:\42885.exe
        
        C:\42885.exe
        9⤵
        
        PID:6544
        
        C:\30245.exe
        
        C:\30245.exe
        8⤵
        
        PID:7752
        
        C:\42634.exe
        
        C:\42634.exe
        8⤵
        
        PID:9284
        
        C:\58963.exe
        
        C:\58963.exe
        8⤵
        
        PID:14044
        
        C:\22547.exe
        
        C:\22547.exe
        8⤵
        
        PID:16648
        
        C:\34140.exe
        
        C:\34140.exe
        8⤵
        
        PID:18060
        
        C:\32130.exe
        
        C:\32130.exe
        7⤵
        
        PID:6080
        
        C:\578.exe
        
        C:\578.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\21414.exe
        
        C:\21414.exe
        8⤵
        
        PID:10792
        
        C:\32726.exe
        
        C:\32726.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:13856
        
        C:\50612.exe
        
        C:\50612.exe
        8⤵
        
        PID:17196
        
        C:\29350.exe
        
        C:\29350.exe
        8⤵
        
        PID:7972
        
        C:\59033.exe
        
        C:\59033.exe
        8⤵
        
        PID:6136
        
        C:\58506.exe
        
        C:\58506.exe
        7⤵
        
        PID:7392
        
        C:\62955.exe
        
        C:\62955.exe
        8⤵
        
        PID:7912
        
        C:\11218.exe
        
        C:\11218.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10096
        
        C:\50298.exe
        
        C:\50298.exe
        7⤵
        
        PID:14032
        
        C:\6012.exe
        
        C:\6012.exe
        7⤵
        
        PID:16568
        
        C:\28623.exe
        
        C:\28623.exe
        7⤵
        
        PID:6352
        
        C:\12142.exe
        
        C:\12142.exe
        7⤵
        
        PID:4584
      - C:\Users30370.exe
        
        C:\Users30370.exe
        6⤵
        
        PID:5016
        
        C:\14715.exe
        
        C:\14715.exe
        7⤵
        
        PID:5908
        
        C:\36505.exe
        
        C:\36505.exe
        8⤵
        
        PID:6556
        
        C:\61478.exe
        
        C:\61478.exe
        8⤵
        
        PID:11120
        
        C:\52813.exe
        
        C:\52813.exe
        8⤵
        
        PID:14092
        
        C:\16978.exe
        
        C:\16978.exe
        8⤵
        
        PID:16872
        
        C:\23510.exe
        
        C:\23510.exe
        8⤵
        
        PID:880
        
        C:\5372.exe
        
        C:\5372.exe
        8⤵
        
        PID:6528
        
        C:\34260.exe
        
        C:\34260.exe
        8⤵
        
        PID:6164
        
        C:\6751.exe
        
        C:\6751.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6200
        
        C:\7017.exe
        
        C:\7017.exe
        7⤵
        
        PID:11272
        
        C:\65165.exe
        
        C:\65165.exe
        7⤵
        
        PID:15136
        
        C:\37628.exe
        
        C:\37628.exe
        7⤵
        
        PID:17052
        
        C:\5500.exe
        
        C:\5500.exe
        7⤵
        
        PID:5844
      - C:\Users11657.exe
        
        C:\Users11657.exe
        6⤵
        
        PID:5488
        
        C:\56255.exe
        
        C:\56255.exe
        7⤵
        
        PID:5624
        
        C:\34466.exe
        
        C:\34466.exe
        7⤵
        
        PID:10200
        
        C:\56170.exe
        
        C:\56170.exe
        7⤵
        
        PID:13488
        
        C:\43405.exe
        
        C:\43405.exe
        7⤵
        
        PID:15864
      - C:\Users22483.exe
        
        C:\Users22483.exe
        6⤵
        
        PID:7580
      - C:\Users50426.exe
        
        C:\Users50426.exe
        6⤵
        
        PID:10420
      - C:\Users14972.exe
        
        C:\Users14972.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:14692
      - C:\Users5413.exe
        
        C:\Users5413.exe
        6⤵
        
        PID:17328
      - C:\Users1742.exe
        
        C:\Users1742.exe
        6⤵
        
        PID:7204
    - - C:\Users\Admin19376.exe
        
        C:\Users\Admin19376.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
      - C:\Users50044.exe
        
        C:\Users50044.exe
        6⤵
        
        PID:5116
        
        C:\190.exe
        
        C:\190.exe
        7⤵
        
        PID:4812
        
        C:\26047.exe
        
        C:\26047.exe
        8⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 664
        8⤵
        Program crash
        
        PID:11456
        
        C:\50374.exe
        
        C:\50374.exe
        7⤵
        
        PID:8248
        
        C:\38564.exe
        
        C:\38564.exe
        7⤵
        
        PID:11832
        
        C:\30934.exe
        
        C:\30934.exe
        7⤵
        
        PID:14440
        
        C:\15065.exe
        
        C:\15065.exe
        7⤵
        
        PID:4076
        
        C:\58743.exe
        
        C:\58743.exe
        7⤵
        
        PID:5704
      - C:\Users13765.exe
        
        C:\Users13765.exe
        6⤵
        
        PID:5568
        
        C:\18425.exe
        
        C:\18425.exe
        7⤵
        
        PID:7572
        
        C:\13055.exe
        
        C:\13055.exe
        7⤵
        
        PID:9732
        
        C:\23715.exe
        
        C:\23715.exe
        7⤵
        
        PID:13828
        
        C:\31213.exe
        
        C:\31213.exe
        7⤵
        
        PID:16392
        
        C:\60023.exe
        
        C:\60023.exe
        7⤵
        
        PID:18164
      - C:\Users65133.exe
        
        C:\Users65133.exe
        6⤵
        
        PID:7336
      - C:\Users48214.exe
        
        C:\Users48214.exe
        6⤵
        
        PID:11184
      - C:\Users21564.exe
        
        C:\Users21564.exe
        6⤵
        
        PID:5048
      - C:\Users57315.exe
        
        C:\Users57315.exe
        6⤵
        
        PID:16804
      - C:\Users9733.exe
        
        C:\Users9733.exe
        6⤵
        
        PID:17940
      - C:\Users35702.exe
        
        C:\Users35702.exe
        6⤵
        
        PID:8156
    - - C:\Users\Admin61703.exe
        
        C:\Users\Admin61703.exe
        5⤵
        
        PID:732
      - C:\Users18556.exe
        
        C:\Users18556.exe
        6⤵
        
        PID:5512
        
        C:\36505.exe
        
        C:\36505.exe
        7⤵
        
        PID:6236
        
        C:\8963.exe
        
        C:\8963.exe
        7⤵
        
        PID:10160
        
        C:\65165.exe
        
        C:\65165.exe
        7⤵
        
        PID:15084
        
        C:\37628.exe
        
        C:\37628.exe
        7⤵
        
        PID:17040
        
        C:\35375.exe
        
        C:\35375.exe
        7⤵
        
        PID:16764
      - C:\Users6751.exe
        
        C:\Users6751.exe
        6⤵
        
        PID:5360
      - C:\Users7017.exe
        
        C:\Users7017.exe
        6⤵
        
        PID:9872
      - C:\Users65165.exe
        
        C:\Users65165.exe
        6⤵
        
        PID:15092
      - C:\Users37628.exe
        
        C:\Users37628.exe
        6⤵
        
        PID:1108
      - C:\Users45785.exe
        
        C:\Users45785.exe
        6⤵
        
        PID:18048
    - - C:\Users\Admin25328.exe
        
        C:\Users\Admin25328.exe
        5⤵
        
        PID:5452
      - C:\Users33820.exe
        
        C:\Users33820.exe
        6⤵
        
        PID:6632
      - C:\Users65373.exe
        
        C:\Users65373.exe
        6⤵
        
        PID:11364
      - C:\Users6892.exe
        
        C:\Users6892.exe
        6⤵
        
        PID:15148
      - C:\Users46294.exe
        
        C:\Users46294.exe
        6⤵
        
        PID:17028
      - C:\Users48004.exe
        
        C:\Users48004.exe
        6⤵
        
        PID:16400
    - - C:\Users\Admin29404.exe
        
        C:\Users\Admin29404.exe
        5⤵
        
        PID:8296
    - - C:\Users\Admin261.exe
        
        C:\Users\Admin261.exe
        5⤵
        
        PID:11932
    - - C:\Users\Admin22798.exe
        
        C:\Users\Admin22798.exe
        5⤵
        
        PID:14400
    - - C:\Users\Admin59601.exe
        
        C:\Users\Admin59601.exe
        5⤵
        
        PID:2720
  - - C:\Users\Admin\AppData8976.exe
      C:\Users\Admin\AppData8976.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2232
    - - C:\Users\Admin5775.exe
        
        C:\Users\Admin5775.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4024
      - C:\Users56671.exe
        
        C:\Users56671.exe
        6⤵
        
        PID:2632
        
        C:\24415.exe
        
        C:\24415.exe
        7⤵
        
        PID:5640
        
        C:\47551.exe
        
        C:\47551.exe
        8⤵
        
        PID:7624
        
        C:\2021.exe
        
        C:\2021.exe
        8⤵
        
        PID:11620
        
        C:\588.exe
        
        C:\588.exe
        8⤵
        
        PID:12376
        
        C:\5589.exe
        
        C:\5589.exe
        8⤵
        
        PID:15888
        
        C:\10268.exe
        
        C:\10268.exe
        8⤵
        
        PID:18084
        
        C:\58841.exe
        
        C:\58841.exe
        8⤵
        
        PID:18312
        
        C:\50374.exe
        
        C:\50374.exe
        7⤵
        
        PID:8240
        
        C:\38564.exe
        
        C:\38564.exe
        7⤵
        
        PID:11824
        
        C:\30934.exe
        
        C:\30934.exe
        7⤵
        
        PID:14512
        
        C:\15065.exe
        
        C:\15065.exe
        7⤵
        
        PID:16940
      - C:\Users6853.exe
        
        C:\Users6853.exe
        6⤵
        
        PID:5992
        
        C:\42393.exe
        
        C:\42393.exe
        7⤵
        
        PID:8600
        
        C:\18684.exe
        
        C:\18684.exe
        7⤵
        
        PID:12220
        
        C:\48525.exe
        
        C:\48525.exe
        7⤵
        
        PID:14884
        
        C:\14444.exe
        
        C:\14444.exe
        7⤵
        
        PID:3004
        
        C:\56116.exe
        
        C:\56116.exe
        7⤵
        
        PID:5244
      - C:\Users63341.exe
        
        C:\Users63341.exe
        6⤵
        
        PID:8420
      - C:\Users35213.exe
        
        C:\Users35213.exe
        6⤵
        
        PID:12124
      - C:\Users47261.exe
        
        C:\Users47261.exe
        6⤵
        
        PID:14660
      - C:\Users64067.exe
        
        C:\Users64067.exe
        6⤵
        
        PID:2980
      - C:\Users52889.exe
        
        C:\Users52889.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6532
    - - C:\Users\Admin21922.exe
        
        C:\Users\Admin21922.exe
        5⤵
        
        PID:2376
      - C:\Users20217.exe
        
        C:\Users20217.exe
        6⤵
        
        PID:5356
        
        C:\32284.exe
        
        C:\32284.exe
        7⤵
        
        PID:3684
        
        C:\37765.exe
        
        C:\37765.exe
        7⤵
        
        PID:11852
        
        C:\25068.exe
        
        C:\25068.exe
        7⤵
        
        PID:14628
        
        C:\23731.exe
        
        C:\23731.exe
        7⤵
        
        PID:1616
        
        C:\24682.exe
        
        C:\24682.exe
        7⤵
        
        PID:17568
      - C:\Users53856.exe
        
        C:\Users53856.exe
        6⤵
        
        PID:8540
      - C:\Users32419.exe
        
        C:\Users32419.exe
        6⤵
        
        PID:12228
      - C:\Users6834.exe
        
        C:\Users6834.exe
        6⤵
        
        PID:14852
      - C:\Users5779.exe
        
        C:\Users5779.exe
        6⤵
        
        PID:16956
    - - C:\Users\Admin9164.exe
        
        C:\Users\Admin9164.exe
        5⤵
        
        PID:6404
      - C:\Users20121.exe
        
        C:\Users20121.exe
        6⤵
        
        PID:8820
      - C:\Users28866.exe
        
        C:\Users28866.exe
        6⤵
        
        PID:12484
      - C:\Users65261.exe
        
        C:\Users65261.exe
        6⤵
        
        PID:15968
      - C:\Users38669.exe
        
        C:\Users38669.exe
        6⤵
        
        PID:18048
    - - C:\Users\Admin41843.exe
        
        C:\Users\Admin41843.exe
        5⤵
        
        PID:7532
    - - C:\Users\Admin14259.exe
        
        C:\Users\Admin14259.exe
        5⤵
        
        PID:10676
    - - C:\Users\Admin45084.exe
        
        C:\Users\Admin45084.exe
        5⤵
        
        PID:13356
    - - C:\Users\Admin26761.exe
        
        C:\Users\Admin26761.exe
        5⤵
        
        PID:17468
  - - C:\Users\Admin\AppData17434.exe
      C:\Users\Admin\AppData17434.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2328
    - - C:\Users\Admin26521.exe
        
        C:\Users\Admin26521.exe
        5⤵
        
        PID:4596
      - C:\Users45852.exe
        
        C:\Users45852.exe
        6⤵
        
        PID:5716
        
        C:\32284.exe
        
        C:\32284.exe
        7⤵
        
        PID:8188
        
        C:\6821.exe
        
        C:\6821.exe
        7⤵
        
        PID:11736
        
        C:\25068.exe
        
        C:\25068.exe
        7⤵
        
        PID:14640
        
        C:\23731.exe
        
        C:\23731.exe
        7⤵
        
        PID:2756
        
        C:\63307.exe
        
        C:\63307.exe
        7⤵
        
        PID:18000
      - C:\Users18469.exe
        
        C:\Users18469.exe
        6⤵
        
        PID:8280
      - C:\Users62980.exe
        
        C:\Users62980.exe
        6⤵
        
        PID:11972
      - C:\Users30934.exe
        
        C:\Users30934.exe
        6⤵
        
        PID:14428
      - C:\Users15065.exe
        
        C:\Users15065.exe
        6⤵
        
        PID:2824
    - - C:\Users\Admin6853.exe
        
        C:\Users\Admin6853.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
      - C:\Users33244.exe
        
        C:\Users33244.exe
        6⤵
        
        PID:6616
      - C:\Users58819.exe
        
        C:\Users58819.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9636
      - C:\Users59300.exe
        
        C:\Users59300.exe
        6⤵
        
        PID:15068
      - C:\Users46294.exe
        
        C:\Users46294.exe
        6⤵
        
        PID:432
      - C:\Users39636.exe
        
        C:\Users39636.exe
        6⤵
        
        PID:17900
    - - C:\Users\Admin48458.exe
        
        C:\Users\Admin48458.exe
        5⤵
        
        PID:8428
    - - C:\Users\Admin35213.exe
        
        C:\Users\Admin35213.exe
        5⤵
        
        PID:12132
    - - C:\Users\Admin15164.exe
        
        C:\Users\Admin15164.exe
        5⤵
        
        PID:14648
    - - C:\Users\Admin64067.exe
        
        C:\Users\Admin64067.exe
        5⤵
        
        PID:1968
  - - C:\Users\Admin\AppData56048.exe
      C:\Users\Admin\AppData56048.exe
      4⤵
      PID:4416
    - - C:\Users\Admin40476.exe
        
        C:\Users\Admin40476.exe
        5⤵
        
        PID:5708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5708 -s 632
        6⤵
        Program crash
        
        PID:17508
    - - C:\Users\Admin47302.exe
        
        C:\Users\Admin47302.exe
        5⤵
        
        PID:8780
    - - C:\Users\Admin23203.exe
        
        C:\Users\Admin23203.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11464
    - - C:\Users\Admin44115.exe
        
        C:\Users\Admin44115.exe
        5⤵
        
        PID:404
    - - C:\Users\Admin5779.exe
        
        C:\Users\Admin5779.exe
        5⤵
        
        PID:4624
  - - C:\Users\Admin\AppData6364.exe
      C:\Users\Admin\AppData6364.exe
      4⤵
      PID:6396
    - - C:\Users\Admin32188.exe
        
        C:\Users\Admin32188.exe
        5⤵
        
        PID:11784
    - - C:\Users\Admin49030.exe
        
        C:\Users\Admin49030.exe
        5⤵
        
        PID:15920
    - - C:\Users\Admin32803.exe
        
        C:\Users\Admin32803.exe
        5⤵
        
        PID:18104
    - - C:\Users\Admin57355.exe
        
        C:\Users\Admin57355.exe
        5⤵
        
        PID:7848
  - - C:\Users\Admin\AppData16642.exe
      C:\Users\Admin\AppData16642.exe
      4⤵
      PID:9180
  - - C:\Users\Admin\AppData14789.exe
      C:\Users\Admin\AppData14789.exe
      4⤵
      PID:11524
  - - C:\Users\Admin\AppData40619.exe
      C:\Users\Admin\AppData40619.exe
      4⤵
      PID:14108
  - - C:\Users\Admin\AppData65432.exe
      C:\Users\Admin\AppData65432.exe
      4⤵
      PID:17488
- - C:\Users\Admin\AppData\Local50068.exe
    C:\Users\Admin\AppData\Local50068.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Users\Admin\AppData11820.exe
      C:\Users\Admin\AppData11820.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:456
    - - C:\Users\Admin16077.exe
        
        C:\Users\Admin16077.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:468
      - C:\Users28057.exe
        
        C:\Users28057.exe
        6⤵
        
        PID:2044
        
        C:\55580.exe
        
        C:\55580.exe
        7⤵
        
        PID:6700
        
        C:\34332.exe
        
        C:\34332.exe
        8⤵
        
        PID:8288
        
        C:\54819.exe
        
        C:\54819.exe
        8⤵
        
        PID:12956
        
        C:\53668.exe
        
        C:\53668.exe
        8⤵
        
        PID:16296
        
        C:\58193.exe
        
        C:\58193.exe
        8⤵
        
        PID:9504
        
        C:\32709.exe
        
        C:\32709.exe
        7⤵
        
        PID:8716
        
        C:\52996.exe
        
        C:\52996.exe
        7⤵
        
        PID:12428
        
        C:\5589.exe
        
        C:\5589.exe
        7⤵
        
        PID:15940
        
        C:\10268.exe
        
        C:\10268.exe
        7⤵
        
        PID:18092
        
        C:\41052.exe
        
        C:\41052.exe
        7⤵
        
        PID:17984
      - C:\Users32549.exe
        
        C:\Users32549.exe
        6⤵
        
        PID:6924
      - C:\Users7378.exe
        
        C:\Users7378.exe
        6⤵
        
        PID:11164
      - C:\Users21564.exe
        
        C:\Users21564.exe
        6⤵
        
        PID:14344
      - C:\Users57315.exe
        
        C:\Users57315.exe
        6⤵
        
        PID:3852
      - C:\Users20174.exe
        
        C:\Users20174.exe
        6⤵
        
        PID:16860
      - C:\Users13844.exe
        
        C:\Users13844.exe
        6⤵
        
        PID:6312
    - - C:\Users\Admin33375.exe
        
        C:\Users\Admin33375.exe
        5⤵
        
        PID:2252
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 488
        6⤵
        Program crash
        
        PID:4664
    - - C:\Users\Admin3913.exe
        
        C:\Users\Admin3913.exe
        5⤵
        
        PID:5712
      - C:\Users17084.exe
        
        C:\Users17084.exe
        6⤵
        
        PID:14584
      - C:\Users4130.exe
        
        C:\Users4130.exe
        6⤵
        
        PID:4436
      - C:\Users48347.exe
        
        C:\Users48347.exe
        6⤵
        
        PID:18084
    - - C:\Users\Admin18898.exe
        
        C:\Users\Admin18898.exe
        5⤵
        
        PID:10024
    - - C:\Users\Admin31763.exe
        
        C:\Users\Admin31763.exe
        5⤵
        
        PID:13272
    - - C:\Users\Admin17986.exe
        
        C:\Users\Admin17986.exe
        5⤵
        
        PID:16020
  - - C:\Users\Admin\AppData26579.exe
      C:\Users\Admin\AppData26579.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:116
    - - C:\Users\Admin2011.exe
        
        C:\Users\Admin2011.exe
        5⤵
        
        PID:2768
      - C:\Users38364.exe
        
        C:\Users38364.exe
        6⤵
        
        PID:5604
        
        C:\9464.exe
        
        C:\9464.exe
        7⤵
        
        PID:9256
        
        C:\32997.exe
        
        C:\32997.exe
        7⤵
        
        PID:11080
        
        C:\47524.exe
        
        C:\47524.exe
        7⤵
        
        PID:15452
        
        C:\30422.exe
        
        C:\30422.exe
        7⤵
        
        PID:5864
        
        C:\11143.exe
        
        C:\11143.exe
        7⤵
        
        PID:11660
      - C:\Users28201.exe
        
        C:\Users28201.exe
        6⤵
        
        PID:9188
      - C:\Users8882.exe
        
        C:\Users8882.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:13000
      - C:\Users50868.exe
        
        C:\Users50868.exe
        6⤵
        
        PID:16304
      - C:\Users35717.exe
        
        C:\Users35717.exe
        6⤵
        
        PID:18316
    - - C:\Users\Admin45699.exe
        
        C:\Users\Admin45699.exe
        5⤵
        
        PID:6428
      - C:\Users7707.exe
        
        C:\Users7707.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8456
      - C:\Users32348.exe
        
        C:\Users32348.exe
        6⤵
        
        PID:12712
      - C:\Users1836.exe
        
        C:\Users1836.exe
        6⤵
        
        PID:16144
      - C:\Users10995.exe
        
        C:\Users10995.exe
        6⤵
        
        PID:18104
    - - C:\Users\Admin3305.exe
        
        C:\Users\Admin3305.exe
        5⤵
        
        PID:6660
    - - C:\Users\Admin22925.exe
        
        C:\Users\Admin22925.exe
        5⤵
        
        PID:724
    - - C:\Users\Admin61620.exe
        
        C:\Users\Admin61620.exe
        5⤵
        
        PID:4880
    - - C:\Users\Admin6789.exe
        
        C:\Users\Admin6789.exe
        5⤵
        
        PID:1996
    - - C:\Users\Admin4840.exe
        
        C:\Users\Admin4840.exe
        5⤵
        
        PID:6448
  - - C:\Users\Admin\AppData48647.exe
      C:\Users\Admin\AppData48647.exe
      4⤵
      PID:4420
    - - C:\Users\Admin20575.exe
        
        C:\Users\Admin20575.exe
        5⤵
        
        PID:5548
      - C:\Users64543.exe
        
        C:\Users64543.exe
        6⤵
        
        PID:11528
      - C:\Users33826.exe
        
        C:\Users33826.exe
        6⤵
        
        PID:15332
      - C:\Users48644.exe
        
        C:\Users48644.exe
        6⤵
        
        PID:3520
      - C:\Users32877.exe
        
        C:\Users32877.exe
        6⤵
        
        PID:7504
    - - C:\Users\Admin32418.exe
        
        C:\Users\Admin32418.exe
        5⤵
        
        PID:8796
    - - C:\Users\Admin23203.exe
        
        C:\Users\Admin23203.exe
        5⤵
        
        PID:11476
    - - C:\Users\Admin52278.exe
        
        C:\Users\Admin52278.exe
        5⤵
        
        PID:15604
    - - C:\Users\Admin27891.exe
        
        C:\Users\Admin27891.exe
        5⤵
        
        PID:17724
  - - C:\Users\Admin\AppData57619.exe
      C:\Users\Admin\AppData57619.exe
      4⤵
      PID:6560
    - - C:\Users\Admin43836.exe
        
        C:\Users\Admin43836.exe
        5⤵
        
        PID:9068
    - - C:\Users\Admin58342.exe
        
        C:\Users\Admin58342.exe
        5⤵
        
        PID:12204
    - - C:\Users\Admin61130.exe
        
        C:\Users\Admin61130.exe
        5⤵
        
        PID:15052
    - - C:\Users\Admin61590.exe
        
        C:\Users\Admin61590.exe
        5⤵
        
        PID:5268
    - - C:\Users\Admin36380.exe
        
        C:\Users\Admin36380.exe
        5⤵
        
        PID:18172
  - - C:\Users\Admin\AppData43645.exe
      C:\Users\Admin\AppData43645.exe
      4⤵
      PID:8664
  - - C:\Users\Admin\AppData56131.exe
      C:\Users\Admin\AppData56131.exe
      4⤵
      PID:12464
  - - C:\Users\Admin\AppData62991.exe
      C:\Users\Admin\AppData62991.exe
      4⤵
      PID:15932
  - - C:\Users\Admin\AppData9003.exe
      C:\Users\Admin\AppData9003.exe
      4⤵
      PID:18128
- - C:\Users\Admin\AppData\Local38363.exe
    C:\Users\Admin\AppData\Local38363.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4700
  - - C:\Users\Admin\AppData52781.exe
      C:\Users\Admin\AppData52781.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:704
    - - C:\Users\Admin48700.exe
        
        C:\Users\Admin48700.exe
        5⤵
        
        PID:3792
      - C:\Users21753.exe
        
        C:\Users21753.exe
        6⤵
        
        PID:5228
        
        C:\9464.exe
        
        C:\9464.exe
        7⤵
        
        PID:9248
        
        C:\32997.exe
        
        C:\32997.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13200
        
        C:\47524.exe
        
        C:\47524.exe
        7⤵
        
        PID:14608
      - C:\Users14847.exe
        
        C:\Users14847.exe
        6⤵
        
        PID:8636
      - C:\Users5772.exe
        
        C:\Users5772.exe
        6⤵
        
        PID:11584
      - C:\Users27094.exe
        
        C:\Users27094.exe
        6⤵
        
        PID:1168
      - C:\Users5779.exe
        
        C:\Users5779.exe
        6⤵
        
        PID:2916
      - C:\Users39580.exe
        
        C:\Users39580.exe
        6⤵
        
        PID:18408
    - - C:\Users\Admin44838.exe
        
        C:\Users\Admin44838.exe
        5⤵
        
        PID:7032
    - - C:\Users\Admin32329.exe
        
        C:\Users\Admin32329.exe
        5⤵
        
        PID:8100
    - - C:\Users\Admin52307.exe
        
        C:\Users\Admin52307.exe
        5⤵
        
        PID:12808
    - - C:\Users\Admin64573.exe
        
        C:\Users\Admin64573.exe
        5⤵
        
        PID:16100
    - - C:\Users\Admin21055.exe
        
        C:\Users\Admin21055.exe
        5⤵
        
        PID:18280
    - - C:\Users\Admin31327.exe
        
        C:\Users\Admin31327.exe
        5⤵
        
        PID:7212
  - - C:\Users\Admin\AppData28642.exe
      C:\Users\Admin\AppData28642.exe
      4⤵
      PID:4920
    - - C:\Users\Admin10875.exe
        
        C:\Users\Admin10875.exe
        5⤵
        
        PID:5364
      - C:\Users6715.exe
        
        C:\Users6715.exe
        6⤵
        
        PID:8128
      - C:\Users2978.exe
        
        C:\Users2978.exe
        6⤵
        
        PID:9728
      - C:\Users53924.exe
        
        C:\Users53924.exe
        6⤵
        
        PID:14964
      - C:\Users46294.exe
        
        C:\Users46294.exe
        6⤵
        
        PID:16968
      - C:\Users51750.exe
        
        C:\Users51750.exe
        6⤵
        
        PID:6456
    - - C:\Users\Admin18469.exe
        
        C:\Users\Admin18469.exe
        5⤵
        
        PID:8308
    - - C:\Users\Admin62980.exe
        
        C:\Users\Admin62980.exe
        5⤵
        
        PID:11984
    - - C:\Users\Admin30934.exe
        
        C:\Users\Admin30934.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:14388
    - - C:\Users\Admin15065.exe
        
        C:\Users\Admin15065.exe
        5⤵
        
        PID:4988
  - - C:\Users\Admin\AppData2441.exe
      C:\Users\Admin\AppData2441.exe
      4⤵
      PID:5524
    - - C:\Users\Admin36505.exe
        
        C:\Users\Admin36505.exe
        5⤵
        
        PID:2028
    - - C:\Users\Admin61478.exe
        
        C:\Users\Admin61478.exe
        5⤵
        
        PID:11056
    - - C:\Users\Admin24364.exe
        
        C:\Users\Admin24364.exe
        5⤵
        
        PID:14172
    - - C:\Users\Admin16978.exe
        
        C:\Users\Admin16978.exe
        5⤵
        
        PID:17000
    - - C:\Users\Admin15237.exe
        
        C:\Users\Admin15237.exe
        5⤵
        
        PID:18424
  - - C:\Users\Admin\AppData33747.exe
      C:\Users\Admin\AppData33747.exe
      4⤵
      PID:7952
  - - C:\Users\Admin\AppData22172.exe
      C:\Users\Admin\AppData22172.exe
      4⤵
      PID:11468
  - - C:\Users\Admin\AppData28226.exe
      C:\Users\Admin\AppData28226.exe
      4⤵
      PID:15320
  - - C:\Users\Admin\AppData46374.exe
      C:\Users\Admin\AppData46374.exe
      4⤵
      PID:740
- - C:\Users\Admin\AppData\Local4768.exe
    C:\Users\Admin\AppData\Local4768.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4480
  - - C:\Users\Admin\AppData16412.exe
      C:\Users\Admin\AppData16412.exe
      4⤵
      PID:2336
    - - C:\Users\Admin30969.exe
        
        C:\Users\Admin30969.exe
        5⤵
        
        PID:5888
      - C:\Users36505.exe
        
        C:\Users36505.exe
        6⤵
        
        PID:5960
      - C:\Users61478.exe
        
        C:\Users61478.exe
        6⤵
        
        PID:11104
      - C:\Users24364.exe
        
        C:\Users24364.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:13688
      - C:\Users16978.exe
        
        C:\Users16978.exe
        6⤵
        
        PID:16856
    - - C:\Users\Admin6751.exe
        
        C:\Users\Admin6751.exe
        5⤵
        
        PID:6888
    - - C:\Users\Admin22668.exe
        
        C:\Users\Admin22668.exe
        5⤵
        
        PID:11308
    - - C:\Users\Admin65165.exe
        
        C:\Users\Admin65165.exe
        5⤵
        
        PID:15104
    - - C:\Users\Admin37628.exe
        
        C:\Users\Admin37628.exe
        5⤵
        
        PID:924
    - - C:\Users\Admin56646.exe
        
        C:\Users\Admin56646.exe
        5⤵
        
        PID:5852
  - - C:\Users\Admin\AppData8799.exe
      C:\Users\Admin\AppData8799.exe
      4⤵
      PID:5964
    - - C:\Users\Admin1595.exe
        
        C:\Users\Admin1595.exe
        5⤵
        
        PID:7648
    - - C:\Users\Admin11301.exe
        
        C:\Users\Admin11301.exe
        5⤵
        
        PID:9880
    - - C:\Users\Admin53866.exe
        
        C:\Users\Admin53866.exe
        5⤵
        
        PID:13816
    - - C:\Users\Admin31213.exe
        
        C:\Users\Admin31213.exe
        5⤵
        
        PID:16448
  - - C:\Users\Admin\AppData46410.exe
      C:\Users\Admin\AppData46410.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6152
  - - C:\Users\Admin\AppData15541.exe
      C:\Users\Admin\AppData15541.exe
      4⤵
      PID:11132
  - - C:\Users\Admin\AppData21564.exe
      C:\Users\Admin\AppData21564.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:14244
  - - C:\Users\Admin\AppData57315.exe
      C:\Users\Admin\AppData57315.exe
      4⤵
      PID:16880
  - - C:\Users\Admin\AppData5396.exe
      C:\Users\Admin\AppData5396.exe
      4⤵
      PID:17296
- - C:\Users\Admin\AppData\Local14300.exe
    C:\Users\Admin\AppData\Local14300.exe
    3⤵
    PID:3780
  - - C:\Users\Admin\AppData27897.exe
      C:\Users\Admin\AppData27897.exe
      4⤵
      PID:5664
    - - C:\Users\Admin26207.exe
        
        C:\Users\Admin26207.exe
        5⤵
        
        PID:3952
    - - C:\Users\Admin60355.exe
        
        C:\Users\Admin60355.exe
        5⤵
        
        PID:10748
    - - C:\Users\Admin59300.exe
        
        C:\Users\Admin59300.exe
        5⤵
        
        PID:15116
    - - C:\Users\Admin46294.exe
        
        C:\Users\Admin46294.exe
        5⤵
        
        PID:1124
  - - C:\Users\Admin\AppData18469.exe
      C:\Users\Admin\AppData18469.exe
      4⤵
      PID:8316
  - - C:\Users\Admin\AppData19596.exe
      C:\Users\Admin\AppData19596.exe
      4⤵
      PID:11960
  - - C:\Users\Admin\AppData30934.exe
      C:\Users\Admin\AppData30934.exe
      4⤵
      PID:14376
  - - C:\Users\Admin\AppData15065.exe
      C:\Users\Admin\AppData15065.exe
      4⤵
      PID:4332
- - C:\Users\Admin\AppData\Local64486.exe
    C:\Users\Admin\AppData\Local64486.exe
    3⤵
    PID:5616
  - - C:\Users\Admin\AppData46876.exe
      C:\Users\Admin\AppData46876.exe
      4⤵
      PID:7636
  - - C:\Users\Admin\AppData39490.exe
      C:\Users\Admin\AppData39490.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:10396
  - - C:\Users\Admin\AppData48013.exe
      C:\Users\Admin\AppData48013.exe
      4⤵
      PID:14740
  - - C:\Users\Admin\AppData45235.exe
      C:\Users\Admin\AppData45235.exe
      4⤵
      PID:16472
  - - C:\Users\Admin\AppData39764.exe
      C:\Users\Admin\AppData39764.exe
      4⤵
      PID:7176
- - C:\Users\Admin\AppData\Local60012.exe
    C:\Users\Admin\AppData\Local60012.exe
    3⤵
    PID:7944
- - C:\Users\Admin\AppData\Local2900.exe
    C:\Users\Admin\AppData\Local2900.exe
    3⤵
    PID:11376
- - C:\Users\Admin\AppData\Local43293.exe
    C:\Users\Admin\AppData\Local43293.exe
    3⤵
    PID:15188
- - C:\Users\Admin\AppData\Local15493.exe
    C:\Users\Admin\AppData\Local15493.exe
    3⤵
    PID:16536
- - C:\Users\Admin\AppData\Local37147.exe
    C:\Users\Admin\AppData\Local37147.exe
    3⤵
    PID:7224
- C:\Users\Admin\AppData\Local\Temp49947.exe
  C:\Users\Admin\AppData\Local\Temp49947.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Users\Admin\AppData\Local41485.exe
    C:\Users\Admin\AppData\Local41485.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:912
  - - C:\Users\Admin\AppData17197.exe
      C:\Users\Admin\AppData17197.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2580
    - - C:\Users\Admin18381.exe
        
        C:\Users\Admin18381.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
      - C:\Users4030.exe
        
        C:\Users4030.exe
        6⤵
        
        PID:5140
        
        C:\38876.exe
        
        C:\38876.exe
        7⤵
        
        PID:6644
        
        C:\6018.exe
        
        C:\6018.exe
        7⤵
        
        PID:9668
        
        C:\33385.exe
        
        C:\33385.exe
        7⤵
        
        PID:12644
        
        C:\9554.exe
        
        C:\9554.exe
        7⤵
        
        PID:15708
      - C:\Users14402.exe
        
        C:\Users14402.exe
        6⤵
        
        PID:7716
      - C:\Users22732.exe
        
        C:\Users22732.exe
        6⤵
        
        PID:9452
      - C:\Users58963.exe
        
        C:\Users58963.exe
        6⤵
        
        PID:14180
      - C:\Users22547.exe
        
        C:\Users22547.exe
        6⤵
        
        PID:16492
      - C:\Users36662.exe
        
        C:\Users36662.exe
        6⤵
        
        PID:17384
    - - C:\Users\Admin36738.exe
        
        C:\Users\Admin36738.exe
        5⤵
        
        PID:5552
      - C:\Users33017.exe
        
        C:\Users33017.exe
        6⤵
        
        PID:6328
      - C:\Users46957.exe
        
        C:\Users46957.exe
        6⤵
        
        PID:10600
      - C:\Users16306.exe
        
        C:\Users16306.exe
        6⤵
        
        PID:13212
      - C:\Users40093.exe
        
        C:\Users40093.exe
        6⤵
        
        PID:16836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 16836 -s 464
        7⤵
        Program crash
        
        PID:18396
      - C:\Users62583.exe
        
        C:\Users62583.exe
        6⤵
        
        PID:18288
    - - C:\Users\Admin32086.exe
        
        C:\Users\Admin32086.exe
        5⤵
        
        PID:7044
    - - C:\Users\Admin16217.exe
        
        C:\Users\Admin16217.exe
        5⤵
        
        PID:10472
    - - C:\Users\Admin27141.exe
        
        C:\Users\Admin27141.exe
        5⤵
        
        PID:14760
    - - C:\Users\Admin64806.exe
        
        C:\Users\Admin64806.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
    - - C:\Users\Admin9355.exe
        
        C:\Users\Admin9355.exe
        5⤵
        
        PID:7236
  - - C:\Users\Admin\AppData32147.exe
      C:\Users\Admin\AppData32147.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1156
    - - C:\Users\Admin31269.exe
        
        C:\Users\Admin31269.exe
        5⤵
        
        PID:5328
      - C:\Users32028.exe
        
        C:\Users32028.exe
        6⤵
        
        PID:8764
      - C:\Users9349.exe
        
        C:\Users9349.exe
        6⤵
        
        PID:13060
      - C:\Users25676.exe
        
        C:\Users25676.exe
        6⤵
        
        PID:16340
      - C:\Users40212.exe
        
        C:\Users40212.exe
        6⤵
        
        PID:7492
    - - C:\Users\Admin26278.exe
        
        C:\Users\Admin26278.exe
        5⤵
        
        PID:8688
    - - C:\Users\Admin61165.exe
        
        C:\Users\Admin61165.exe
        5⤵
        
        PID:11412
    - - C:\Users\Admin54708.exe
        
        C:\Users\Admin54708.exe
        5⤵
        
        PID:15680
    - - C:\Users\Admin11356.exe
        
        C:\Users\Admin11356.exe
        5⤵
        
        PID:17736
  - - C:\Users\Admin\AppData50474.exe
      C:\Users\Admin\AppData50474.exe
      4⤵
      PID:5516
    - - C:\Users\Admin18425.exe
        
        C:\Users\Admin18425.exe
        5⤵
        
        PID:7588
    - - C:\Users\Admin13055.exe
        
        C:\Users\Admin13055.exe
        5⤵
        
        PID:9820
    - - C:\Users\Admin53866.exe
        
        C:\Users\Admin53866.exe
        5⤵
        
        PID:13956
    - - C:\Users\Admin31213.exe
        
        C:\Users\Admin31213.exe
        5⤵
        
        PID:16676
  - - C:\Users\Admin\AppData51315.exe
      C:\Users\Admin\AppData51315.exe
      4⤵
      PID:7280
  - - C:\Users\Admin\AppData6876.exe
      C:\Users\Admin\AppData6876.exe
      4⤵
      PID:11072
  - - C:\Users\Admin\AppData53021.exe
      C:\Users\Admin\AppData53021.exe
      4⤵
      PID:14176
  - - C:\Users\Admin\AppData8843.exe
      C:\Users\Admin\AppData8843.exe
      4⤵
      PID:17192
  - - C:\Users\Admin\AppData51754.exe
      C:\Users\Admin\AppData51754.exe
      4⤵
      PID:8068
- - C:\Users\Admin\AppData\Local62676.exe
    C:\Users\Admin\AppData\Local62676.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4028
  - - C:\Users\Admin\AppData19149.exe
      C:\Users\Admin\AppData19149.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4572
    - - C:\Users\Admin6552.exe
        
        C:\Users\Admin6552.exe
        5⤵
        
        PID:5208
      - C:\Users48668.exe
        
        C:\Users48668.exe
        6⤵
        
        PID:6264
        
        C:\31807.exe
        
        C:\31807.exe
        7⤵
        
        PID:14736
        
        C:\7585.exe
        
        C:\7585.exe
        7⤵
        
        PID:3432
      - C:\Users64554.exe
        
        C:\Users64554.exe
        6⤵
        
        PID:10640
      - C:\Users16306.exe
        
        C:\Users16306.exe
        6⤵
        
        PID:13360
      - C:\Users59828.exe
        
        C:\Users59828.exe
        6⤵
        
        PID:16960
    - - C:\Users\Admin30245.exe
        
        C:\Users\Admin30245.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7736
    - - C:\Users\Admin42634.exe
        
        C:\Users\Admin42634.exe
        5⤵
        
        PID:9220
    - - C:\Users\Admin58963.exe
        
        C:\Users\Admin58963.exe
        5⤵
        
        PID:13984
    - - C:\Users\Admin22547.exe
        
        C:\Users\Admin22547.exe
        5⤵
        
        PID:16688
    - - C:\Users\Admin34140.exe
        
        C:\Users\Admin34140.exe
        5⤵
        
        PID:16316
  - - C:\Users\Admin\AppData29058.exe
      C:\Users\Admin\AppData29058.exe
      4⤵
      PID:5760
    - - C:\Users\Admin57916.exe
        
        C:\Users\Admin57916.exe
        5⤵
        
        PID:8004
    - - C:\Users\Admin60035.exe
        
        C:\Users\Admin60035.exe
        5⤵
        
        PID:10328
    - - C:\Users\Admin53098.exe
        
        C:\Users\Admin53098.exe
        5⤵
        
        PID:14148
    - - C:\Users\Admin31213.exe
        
        C:\Users\Admin31213.exe
        5⤵
        
        PID:16656
  - - C:\Users\Admin\AppData45450.exe
      C:\Users\Admin\AppData45450.exe
      4⤵
      PID:6624
  - - C:\Users\Admin\AppData6163.exe
      C:\Users\Admin\AppData6163.exe
      4⤵
      PID:11084
  - - C:\Users\Admin\AppData39964.exe
      C:\Users\Admin\AppData39964.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:15056
  - - C:\Users\Admin\AppData38159.exe
      C:\Users\Admin\AppData38159.exe
      4⤵
      PID:17392
- - C:\Users\Admin\AppData\Local10714.exe
    C:\Users\Admin\AppData\Local10714.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1004
  - - C:\Users\Admin\AppData4030.exe
      C:\Users\Admin\AppData4030.exe
      4⤵
      PID:5160
    - - C:\Users\Admin48668.exe
        
        C:\Users\Admin48668.exe
        5⤵
        
        PID:5224
    - - C:\Users\Admin18981.exe
        
        C:\Users\Admin18981.exe
        5⤵
        
        PID:9332
    - - C:\Users\Admin30723.exe
        
        C:\Users\Admin30723.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
    - - C:\Users\Admin53389.exe
        
        C:\Users\Admin53389.exe
        5⤵
        
        PID:15480
  - - C:\Users\Admin\AppData64864.exe
      C:\Users\Admin\AppData64864.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7768
  - - C:\Users\Admin\AppData42634.exe
      C:\Users\Admin\AppData42634.exe
      4⤵
      PID:9388
  - - C:\Users\Admin\AppData58963.exe
      C:\Users\Admin\AppData58963.exe
      4⤵
      PID:13996
  - - C:\Users\Admin\AppData22547.exe
      C:\Users\Admin\AppData22547.exe
      4⤵
      PID:16696
  - - C:\Users\Admin\AppData8214.exe
      C:\Users\Admin\AppData8214.exe
      4⤵
      PID:7144
- - C:\Users\Admin\AppData\Local56339.exe
    C:\Users\Admin\AppData\Local56339.exe
    3⤵
    PID:5584
  - - C:\Users\Admin\AppData31071.exe
      C:\Users\Admin\AppData31071.exe
      4⤵
      PID:6336
  - - C:\Users\Admin\AppData18981.exe
      C:\Users\Admin\AppData18981.exe
      4⤵
      PID:9368
  - - C:\Users\Admin\AppData30723.exe
      C:\Users\Admin\AppData30723.exe
      4⤵
      PID:13244
  - - C:\Users\Admin\AppData53389.exe
      C:\Users\Admin\AppData53389.exe
      4⤵
      PID:15536
  - - C:\Users\Admin\AppData2838.exe
      C:\Users\Admin\AppData2838.exe
      4⤵
      PID:4060
- - C:\Users\Admin\AppData\Local16121.exe
    C:\Users\Admin\AppData\Local16121.exe
    3⤵
    PID:8036
- - C:\Users\Admin\AppData\Local54435.exe
    C:\Users\Admin\AppData\Local54435.exe
    3⤵
    PID:10348
- - C:\Users\Admin\AppData\Local50828.exe
    C:\Users\Admin\AppData\Local50828.exe
    3⤵
    PID:14020
- - C:\Users\Admin\AppData\Local1547.exe
    C:\Users\Admin\AppData\Local1547.exe
    3⤵
    PID:16428
- C:\Users\Admin\AppData\Local\Temp58433.exe
  C:\Users\Admin\AppData\Local\Temp58433.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3800
- - C:\Users\Admin\AppData\Local49101.exe
    C:\Users\Admin\AppData\Local49101.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1128
  - - C:\Users\Admin\AppData1935.exe
      C:\Users\Admin\AppData1935.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3588
    - - C:\Users\Admin39417.exe
        
        C:\Users\Admin39417.exe
        5⤵
        
        PID:4496
      - C:\Users34143.exe
        
        C:\Users34143.exe
        6⤵
        
        PID:7000
        
        C:\22425.exe
        
        C:\22425.exe
        7⤵
        
        PID:2396
        
        C:\28866.exe
        
        C:\28866.exe
        7⤵
        
        PID:12492
        
        C:\65261.exe
        
        C:\65261.exe
        7⤵
        
        PID:15900
        
        C:\38669.exe
        
        C:\38669.exe
        7⤵
        
        PID:18060
      - C:\Users38794.exe
        
        C:\Users38794.exe
        6⤵
        
        PID:9468
      - C:\Users58605.exe
        
        C:\Users58605.exe
        6⤵
        
        PID:13680
      - C:\Users63764.exe
        
        C:\Users63764.exe
        6⤵
        
        PID:15896
      - C:\Users36063.exe
        
        C:\Users36063.exe
        6⤵
        
        PID:17920
      - C:\Users60497.exe
        
        C:\Users60497.exe
        6⤵
        
        PID:6260
    - - C:\Users\Admin34853.exe
        
        C:\Users\Admin34853.exe
        5⤵
        
        PID:6724
      - C:\Users4757.exe
        
        C:\Users4757.exe
        6⤵
        
        PID:11304
      - C:\Users18978.exe
        
        C:\Users18978.exe
        6⤵
        
        PID:16208
    - - C:\Users\Admin52810.exe
        
        C:\Users\Admin52810.exe
        5⤵
        
        PID:9716
    - - C:\Users\Admin39251.exe
        
        C:\Users\Admin39251.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:12620
    - - C:\Users\Admin889.exe
        
        C:\Users\Admin889.exe
        5⤵
        
        PID:15624
    - - C:\Users\Admin3237.exe
        
        C:\Users\Admin3237.exe
        5⤵
        
        PID:18340
  - - C:\Users\Admin\AppData23391.exe
      C:\Users\Admin\AppData23391.exe
      4⤵
      PID:5404
    - - C:\Users\Admin23801.exe
        
        C:\Users\Admin23801.exe
        5⤵
        
        PID:6848
    - - C:\Users\Admin54726.exe
        
        C:\Users\Admin54726.exe
        5⤵
        
        PID:9856
    - - C:\Users\Admin16940.exe
        
        C:\Users\Admin16940.exe
        5⤵
        
        PID:12896
    - - C:\Users\Admin9554.exe
        
        C:\Users\Admin9554.exe
        5⤵
        
        PID:15652
    - - C:\Users\Admin18681.exe
        
        C:\Users\Admin18681.exe
        5⤵
        
        PID:6420
  - - C:\Users\Admin\AppData45735.exe
      C:\Users\Admin\AppData45735.exe
      4⤵
      PID:7676
  - - C:\Users\Admin\AppData30902.exe
      C:\Users\Admin\AppData30902.exe
      4⤵
      PID:9920
  - - C:\Users\Admin\AppData20915.exe
      C:\Users\Admin\AppData20915.exe
      4⤵
      PID:13936
  - - C:\Users\Admin\AppData6012.exe
      C:\Users\Admin\AppData6012.exe
      4⤵
      PID:16584
- - C:\Users\Admin\AppData\Local14000.exe
    C:\Users\Admin\AppData\Local14000.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1900
  - - C:\Users\Admin\AppData5566.exe
      C:\Users\Admin\AppData5566.exe
      4⤵
      PID:4532
    - - C:\Users\Admin60256.exe
        
        C:\Users\Admin60256.exe
        5⤵
        
        PID:8116
    - - C:\Users\Admin33417.exe
        
        C:\Users\Admin33417.exe
        5⤵
        
        PID:10704
    - - C:\Users\Admin64822.exe
        
        C:\Users\Admin64822.exe
        5⤵
        
        PID:12916
    - - C:\Users\Admin29349.exe
        
        C:\Users\Admin29349.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
    - - C:\Users\Admin47284.exe
        
        C:\Users\Admin47284.exe
        5⤵
        
        PID:6464
  - - C:\Users\Admin\AppData44771.exe
      C:\Users\Admin\AppData44771.exe
      4⤵
      PID:7408
  - - C:\Users\Admin\AppData5353.exe
      C:\Users\Admin\AppData5353.exe
      4⤵
      PID:10016
  - - C:\Users\Admin\AppData27827.exe
      C:\Users\Admin\AppData27827.exe
      4⤵
      PID:13844
  - - C:\Users\Admin\AppData22547.exe
      C:\Users\Admin\AppData22547.exe
      4⤵
      PID:16460
  - - C:\Users\Admin\AppData38748.exe
      C:\Users\Admin\AppData38748.exe
      4⤵
      PID:7188
- - C:\Users\Admin\AppData\Local37127.exe
    C:\Users\Admin\AppData\Local37127.exe
    3⤵
    PID:5412
  - - C:\Users\Admin\AppData23801.exe
      C:\Users\Admin\AppData23801.exe
      4⤵
      PID:6828
  - - C:\Users\Admin\AppData54726.exe
      C:\Users\Admin\AppData54726.exe
      4⤵
      PID:9836
  - - C:\Users\Admin\AppData1481.exe
      C:\Users\Admin\AppData1481.exe
      4⤵
      PID:12828
  - - C:\Users\Admin\AppData9554.exe
      C:\Users\Admin\AppData9554.exe
      4⤵
      PID:15716
  - - C:\Users\Admin\AppData3304.exe
      C:\Users\Admin\AppData3304.exe
      4⤵
      PID:18232
- - C:\Users\Admin\AppData\Local7765.exe
    C:\Users\Admin\AppData\Local7765.exe
    3⤵
    PID:8080
- - C:\Users\Admin\AppData\Local30041.exe
    C:\Users\Admin\AppData\Local30041.exe
    3⤵
    PID:10736
- - C:\Users\Admin\AppData\Local59933.exe
    C:\Users\Admin\AppData\Local59933.exe
    3⤵
    PID:13672
- - C:\Users\Admin\AppData\Local56300.exe
    C:\Users\Admin\AppData\Local56300.exe
    3⤵
    PID:16848
- C:\Users\Admin\AppData\Local\Temp8266.exe
  C:\Users\Admin\AppData\Local\Temp8266.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:952
- - C:\Users\Admin\AppData\Local33866.exe
    C:\Users\Admin\AppData\Local33866.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4804
  - - C:\Users\Admin\AppData6552.exe
      C:\Users\Admin\AppData6552.exe
      4⤵
      PID:5216
    - - C:\Users\Admin31071.exe
        
        C:\Users\Admin31071.exe
        5⤵
        
        PID:6380
    - - C:\Users\Admin18981.exe
        
        C:\Users\Admin18981.exe
        5⤵
        
        PID:9340
    - - C:\Users\Admin30723.exe
        
        C:\Users\Admin30723.exe
        5⤵
        
        PID:13236
    - - C:\Users\Admin53389.exe
        
        C:\Users\Admin53389.exe
        5⤵
        
        PID:15388
  - - C:\Users\Admin\AppData64864.exe
      C:\Users\Admin\AppData64864.exe
      4⤵
      PID:7780
  - - C:\Users\Admin\AppData42634.exe
      C:\Users\Admin\AppData42634.exe
      4⤵
      PID:9312
  - - C:\Users\Admin\AppData58963.exe
      C:\Users\Admin\AppData58963.exe
      4⤵
      PID:14064
  - - C:\Users\Admin\AppData22547.exe
      C:\Users\Admin\AppData22547.exe
      4⤵
      PID:16600
  - - C:\Users\Admin\AppData57497.exe
      C:\Users\Admin\AppData57497.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7612
- - C:\Users\Admin\AppData\Local36738.exe
    C:\Users\Admin\AppData\Local36738.exe
    3⤵
    PID:5608
  - - C:\Users\Admin\AppData29535.exe
      C:\Users\Admin\AppData29535.exe
      4⤵
      PID:6568
    - - C:\Users\Admin10523.exe
        
        C:\Users\Admin10523.exe
        5⤵
        
        PID:9328
    - - C:\Users\Admin39004.exe
        
        C:\Users\Admin39004.exe
        5⤵
        
        PID:13696
    - - C:\Users\Admin1027.exe
        
        C:\Users\Admin1027.exe
        5⤵
        
        PID:15600
    - - C:\Users\Admin45421.exe
        
        C:\Users\Admin45421.exe
        5⤵
        
        PID:17904
  - - C:\Users\Admin\AppData56262.exe
      C:\Users\Admin\AppData56262.exe
      4⤵
      PID:9608
  - - C:\Users\Admin\AppData31491.exe
      C:\Users\Admin\AppData31491.exe
      4⤵
      PID:12292
  - - C:\Users\Admin\AppData9554.exe
      C:\Users\Admin\AppData9554.exe
      4⤵
      PID:224
  - - C:\Users\Admin\AppData58841.exe
      C:\Users\Admin\AppData58841.exe
      4⤵
      PID:8076
- - C:\Users\Admin\AppData\Local36519.exe
    C:\Users\Admin\AppData\Local36519.exe
    3⤵
    PID:8020
- - C:\Users\Admin\AppData\Local63984.exe
    C:\Users\Admin\AppData\Local63984.exe
    3⤵
    PID:10372
- - C:\Users\Admin\AppData\Local50298.exe
    C:\Users\Admin\AppData\Local50298.exe
    3⤵
    PID:14132
- - C:\Users\Admin\AppData\Local6012.exe
    C:\Users\Admin\AppData\Local6012.exe
    3⤵
    PID:16592
- C:\Users\Admin\AppData\Local\Temp56916.exe
  C:\Users\Admin\AppData\Local\Temp56916.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5000
- - C:\Users\Admin\AppData\Local45919.exe
    C:\Users\Admin\AppData\Local45919.exe
    3⤵
    PID:2004
  - - C:\Users\Admin\AppData29820.exe
      C:\Users\Admin\AppData29820.exe
      4⤵
      PID:6224
    - - C:\Users\Admin34524.exe
        
        C:\Users\Admin34524.exe
        5⤵
        
        PID:9212
    - - C:\Users\Admin8581.exe
        
        C:\Users\Admin8581.exe
        5⤵
        
        PID:13020
    - - C:\Users\Admin53668.exe
        
        C:\Users\Admin53668.exe
        5⤵
        
        PID:16200
    - - C:\Users\Admin25137.exe
        
        C:\Users\Admin25137.exe
        5⤵
        
        PID:3260
  - - C:\Users\Admin\AppData55683.exe
      C:\Users\Admin\AppData55683.exe
      4⤵
      PID:8972
  - - C:\Users\Admin\AppData6540.exe
      C:\Users\Admin\AppData6540.exe
      4⤵
      PID:12252
  - - C:\Users\Admin\AppData25558.exe
      C:\Users\Admin\AppData25558.exe
      4⤵
      PID:220
  - - C:\Users\Admin\AppData23324.exe
      C:\Users\Admin\AppData23324.exe
      4⤵
      PID:16636
  - - C:\Users\Admin\AppData20447.exe
      C:\Users\Admin\AppData20447.exe
      4⤵
      PID:5696
- - C:\Users\Admin\AppData\Local8610.exe
    C:\Users\Admin\AppData\Local8610.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6820
  - - C:\Users\Admin\AppData34457.exe
      C:\Users\Admin\AppData34457.exe
      4⤵
      PID:10100
  - - C:\Users\Admin\AppData45149.exe
      C:\Users\Admin\AppData45149.exe
      4⤵
      PID:13344
  - - C:\Users\Admin\AppData37322.exe
      C:\Users\Admin\AppData37322.exe
      4⤵
      PID:16260
  - - C:\Users\Admin\AppData52343.exe
      C:\Users\Admin\AppData52343.exe
      4⤵
      PID:6096
  - - C:\Users\Admin\AppData54903.exe
      C:\Users\Admin\AppData54903.exe
      4⤵
      PID:17688
- - C:\Users\Admin\AppData\Local61930.exe
    C:\Users\Admin\AppData\Local61930.exe
    3⤵
    PID:8832
- - C:\Users\Admin\AppData\Local48467.exe
    C:\Users\Admin\AppData\Local48467.exe
    3⤵
    PID:12512
- - C:\Users\Admin\AppData\Local53370.exe
    C:\Users\Admin\AppData\Local53370.exe
    3⤵
    PID:13480
- - C:\Users\Admin\AppData\Local18204.exe
    C:\Users\Admin\AppData\Local18204.exe
    3⤵
    PID:16188
- - C:\Users\Admin\AppData\Local39917.exe
    C:\Users\Admin\AppData\Local39917.exe
    3⤵
    PID:7220
- C:\Users\Admin\AppData\Local\Temp34857.exe
  C:\Users\Admin\AppData\Local\Temp34857.exe
  2⤵
  PID:5368
- - C:\Users\Admin\AppData\Local53183.exe
    C:\Users\Admin\AppData\Local53183.exe
    3⤵
    PID:7028
- - C:\Users\Admin\AppData\Local64067.exe
    C:\Users\Admin\AppData\Local64067.exe
    3⤵
    PID:9968
- - C:\Users\Admin\AppData\Local14828.exe
    C:\Users\Admin\AppData\Local14828.exe
    3⤵
    PID:13292
- - C:\Users\Admin\AppData\Local58070.exe
    C:\Users\Admin\AppData\Local58070.exe
    3⤵
    PID:4744
- - C:\Users\Admin\AppData\Local57245.exe
    C:\Users\Admin\AppData\Local57245.exe
    3⤵
    PID:17860
- - C:\Users\Admin\AppData\Local26927.exe
    C:\Users\Admin\AppData\Local26927.exe
    3⤵
    PID:6576
- C:\Users\Admin\AppData\Local\Temp3569.exe
  C:\Users\Admin\AppData\Local\Temp3569.exe
  2⤵
  PID:7304
- - C:\Users\Admin\AppData\Local6782.exe
    C:\Users\Admin\AppData\Local6782.exe
    3⤵
    PID:2268
- C:\Users\Admin\AppData\Local\Temp40794.exe
  C:\Users\Admin\AppData\Local\Temp40794.exe
  2⤵
  PID:9352
- C:\Users\Admin\AppData\Local\Temp27804.exe
  C:\Users\Admin\AppData\Local\Temp27804.exe
  2⤵
  PID:13628
- C:\Users\Admin\AppData\Local\Temp13892.exe
  C:\Users\Admin\AppData\Local\Temp13892.exe
  2⤵
  PID:16268
- C:\Users\Admin\AppData\Local\Temp50064.exe
  C:\Users\Admin\AppData\Local\Temp50064.exe
  2⤵
  PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2252 -ip 2252
1⤵
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4812 -ip 4812
1⤵
PID:11388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 16836 -ip 16836
1⤵
PID:18232

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\12851.exe

Filesize
184KB

MD5
24012e9c1ff68aa34e8a4c3a360720ea

SHA1
45f927b12694bb4967249591553d6294eb36dcb8

SHA256
45ba6cd851001d21c3675254b40ddfdd3233992f9e1ae6c44e837fcbf42834a2

SHA512
09d6325cd809234a721c2e215e66546bf1b58b18972d4f0052197d458c3d6236db30132a9b6a604bafd2053ddf62661d80217610d1704a35494d01f9873a2367

Download Submit
C:\24415.exe

Filesize
184KB

MD5
bd89f045d963d8911952b6c312654ad1

SHA1
4b94150acb626413dcb40be08d998f29ff284d7d

SHA256
44f9c81f501fde825fa6d9c4ecfe90487a3145db49408767d99dbe9184c7be62

SHA512
0daf7fceda0ad364fda51f12ddc37ffcb92c090758b8f1348594454e5c1279e8345b10a4d5cc1b5d4c2aad7af14caf611fce723d156b7922c3763b1c1290fb28

Download Submit
C:\34466.exe

Filesize
184KB

MD5
edb0d7d8d1bcf3e475d8864f5a3e5bf2

SHA1
9c8ee8281b59d35a0673201618141bf744a943a2

SHA256
d4c90fbd6cc92c40b0fd8c2a537b10045a43cc8b60504893b9a605e627785e0c

SHA512
ad2cc64aab3f37cb14e941dd76547490d8e1c3d38690c427ff97f6a473f6f0a7ced44e9c70fd36663f9d9378ef112b83be0ffb41fb1ca0d0c462f8a62ed25140

Download Submit
C:\39362.exe

Filesize
184KB

MD5
428f6a9445f0f8abdf5ca7617b77f6ea

SHA1
5a5a28b1ad4bc9e693f40e16f02f0f84a185c6fb

SHA256
068841d91e78414f5f359b79124527ffa47faf8e2749d43b17cbf1057c3a138f

SHA512
9194314f82a1406881d3452cbbfd85ca018344167bc456208ae3901688534903eba1e92ede496b027fa78a1a3014a3503210ff451d1874402646b4afdb711cbb

Download Submit
C:\Users12588.exe

Filesize
184KB

MD5
4b8a1ca9d9ffbf4b7094a9377b43da09

SHA1
7ee80f93b2949d6518411465ae21bf990c2b8ba6

SHA256
69f9653d1e92876245418423e51f1d6e28f66509f540243cfebe26c3fe2e6155

SHA512
29f6bf9dad25c420496b58169bcef3489eed53dc6eca85eb08f22ee852722e46683db775f1d58de65d151de4e3f0fa5e89236bf1dad60d334375eac5813b9f7f

Download Submit
C:\Users21453.exe

Filesize
184KB

MD5
b979bae6f55b9fbccdca59c418f39333

SHA1
d360ee8ae7be970817bb5f1f0a54b8d3cbe98268

SHA256
97d90f7cb9c5689b274af08bc6be910e55391a8f6cef14b8d62e6da6c227efa5

SHA512
eb995d0f81d326aa26eba86f8433c3fb88a7290bad0dacf5191d0a24b6492337862373a094aaf2f76fb0c26af87f6a395496e85c94bd2e0449c8ee0d84036878

Download Submit
C:\Users48668.exe

Filesize
184KB

MD5
0ebbc14521bb2331c08cef158d8ffc34

SHA1
93d43b0b3afabe9985e175e774da943f3c69cb13

SHA256
86159be6e40c1ea003e7106cb13cacef421b31ae42e2d6477481f74dbe603a54

SHA512
522ff726ed9e88040321248d9a4a6f71ae7712bb68b3c36f718eb6b99d27b7536cdc51b41694ecde3ca8056a3b7bff8cdeac4fe078cfb7da7a1feebe8754ccc7

Download Submit
C:\Users48793.exe

Filesize
184KB

MD5
4394c1c8c8ceb0fb20d18e16bea677f6

SHA1
6bbbb8a279c2c6122fd7f3f6506d49ba6264f81f

SHA256
fa361f6f39a81b6c2ea869b088486f2d4ad39ca63fdd63569a8d69fd8ff74abe

SHA512
06e74c7fd6e59fe48345ab3c95ab750275f0a865bff2950f9079919ca36b6cd47e6408278ef911a090c42f44a325ff3898a9c37d9e683659be86fd3d7e060eca

Download Submit
C:\Users\Admin13584.exe

Filesize
184KB

MD5
66c093b22f4ec7556ceff7ab154ce1e9

SHA1
eb532d5b084f45f7b497845fd41d2648664b29b3

SHA256
7dcc3b616ca12e27c38839156975e0ce062cbf19582f34f0bdb12c2595b1a3e3

SHA512
52d2fdd24de89788d23a3e755bb1ba359cdda911d869f04e15c3f55a575f48d8e94975d85983be7a937e8938c5fc015c3735876708481493c21c2514daa50419

Download Submit
C:\Users\Admin14124.exe

Filesize
184KB

MD5
c7991be2591c4da5ccf88fb041ff6f40

SHA1
a7b09f3614fb4d4d3485929683eac7568cecb33e

SHA256
eb520b8b2c12cf947597bbc311f93efded4061d2ad81b227a0996e3cb6b2eaf0

SHA512
1fa775b9a9102ca5120df483f990ba4cde2d8ac48831120afd030c702b46dc652317153cd1fb5e5b41fb138fcfb3deb95c857ea2d1b997facb750a58866b17ce

Download Submit
C:\Users\Admin17005.exe

Filesize
184KB

MD5
7137427506d2ba3daea2e0e099f076fc

SHA1
033760a4a4282a16dffe033fd09eeea0b176294c

SHA256
42011e6b6b239ee68beacbc0ed8081171035b5739f3469c16dfcf4fb27c74974

SHA512
00ef24ee7768b0d60866b2027d718f5949d34e80062ecf1fff67e9195b0fa46b5a54079d12efff851f3fbef2a4d2b1c0b72719682a330b4837a7eeb765046150

Download Submit
C:\Users\Admin25258.exe

Filesize
184KB

MD5
53ef34452242d199ae79ac5ecfe7aabd

SHA1
dc54839d1cf673d3ecf8db649ed8e5256ceb94de

SHA256
9b5eab457132e3bf95524e11e1e0821113ccfdc8858706d1fb879b694e54ac20

SHA512
e0f05758e7f4e5e93018cf96d0a831c75c40209859ceb06a6ed3f3afbdcf919fa9727491010c813dda96af0cb93c24d8f3454a211ba6a86c2647e9ef5de421b5

Download Submit
C:\Users\Admin33450.exe

Filesize
184KB

MD5
877ae2ae61cf4a11e5446a4f617cc8cf

SHA1
10b442371783cbd91aa9fc4c627624acd72be421

SHA256
e5d1f6b63b102ab2316affcbff3f43798a03966e32c623fd747639370062c340

SHA512
bba98d7619dbfba0f1d1b9520f610f4fe23c42ab7160c3123c71a54003d22f0f338ca833318119f2825ec801ceebbeb91728f4ed6bf82aacbcc168f0c1d0690b

Download Submit
C:\Users\Admin\AppData10298.exe

Filesize
184KB

MD5
5916a996c1e6fc81fec608f588fbb8eb

SHA1
c15e94792284b28c0814752dd975bcfdea1f3d7c

SHA256
2022de1150763aaf6a8795c34ecde0cd2edf4bf9f125a9fe15ec5ca82e03ce31

SHA512
e7d83e40c476799f2cfa4ff997067e7a2b62840f0be2dec41a63b4f9d19a6292c5f539a230261cb31cae8dc71798004433c4ad8c85a04c3e68c093f353e5a5f9

Download Submit
C:\Users\Admin\AppData11820.exe

Filesize
184KB

MD5
da2c1508faa061de5fbef999888e5936

SHA1
8afa163e8473e228f178263acbc7650d788d1782

SHA256
0a8184d0d944a7d3efbdc17e8723f06c555adcfe987fd1c63259247a61a1ec31

SHA512
fdea615254e1cbdbf10f59f56c3cdee28f0f1331586142af88c9098aac4f0d53b90b9038a342db5feba26449651156eb41f7a75f302775aa4cea26afd9a39b55

Download Submit
C:\Users\Admin\AppData16237.exe

Filesize
184KB

MD5
5627f955c21082e795b4f412b53d3328

SHA1
f4afe2a4c8a541190ba1545f8dd5ad1231a047a6

SHA256
54de7fb381c832ddb3e936041f36f50473e274579517f8105cb8d42cfffcf97c

SHA512
5023745a93f1ae9dc162f0a39891ade2226bf484c6bfd0c2e04f6ea53dfe3515e97f063a25b2c3a01c22f606ec9cba319cf470ff73d26e2d7040c7aed9a3bfd8

Download Submit
C:\Users\Admin\AppData17197.exe

Filesize
184KB

MD5
3d73f3477fd76486def6b8e40b498a18

SHA1
af833939cd495adc8dd93d1e5f6f59932e558280

SHA256
3487fa4732a16d12937fe6bff6e6fd3148ebf4684487acabf14eed6e51c7c1f2

SHA512
9140bb81aa26a7d7a99cec81875d9dc733c884d690b55d1d3c008a892e25d22b82d4c5ac7042ee9d492dcbeb477af154b16eb8f484e03f8591e7cf17088bd680

Download Submit
C:\Users\Admin\AppData27507.exe

Filesize
184KB

MD5
82a727ed22c75f504b548688104482a0

SHA1
784e77aee0eac256361312b7c8f1990a875614a4

SHA256
afe91ac38a134bed294cf2fde8e467e831dface3d5d154da947db6b8345464d5

SHA512
eb63b0a0b8b9ba237861a839c5282de01ff2ecf474419724b73d8443f4f88db1b18324287e4d85e5c54aec9fa3b2216c15459967e62b1a0d8517c16a8d8e60fa

Download Submit
C:\Users\Admin\AppData51952.exe

Filesize
184KB

MD5
f3359abeab8370f36ffb47c6811e61c7

SHA1
0e5138e56b90a372378e699ed0af96344a289b07

SHA256
f86285fedfebdf8acfc402021c9ea888e197ffdd55b60bae7928d046e0feab44

SHA512
7808acf96b3e6a3be60098b8b6ccfc9f84fdf942fa478e90301847c19c5c0ac8d4eaf3ab03ae68baff93e6c4f79280358bc0a32edce33d4dbe68c880a450c707

Download Submit
C:\Users\Admin\AppData53908.exe

Filesize
184KB

MD5
f454e2c29f0df56b0d4d756ff58a2a5d

SHA1
27252120b265abd8553a090356d6146f9789e8b7

SHA256
8d45da11e1a1ea6f20c82e4bf5768c508cc71007d6107288a759680693a95e9c

SHA512
991556e4d3811ad02b90a267ac22389515fc62b6c3a2cfed3e03a732bad8a77b128e043fb9378f8b60ea420c771edb962e4fe33bf3461f8f4d3daaecc9b39d70

Download Submit
C:\Users\Admin\AppData64717.exe

Filesize
184KB

MD5
c99810cda28e6f7c70e15b868223f9a8

SHA1
fceedd4614c8ce2e574dfad1a9d185ecd5e81a3e

SHA256
c70354dc68252927e7fed917cb6d9b1fdac3e4d8567561bf8ec33866829f7f2d

SHA512
48d7a7e82ce57a3949d49a70d2f15241865d9697edeee04ea91806936bab5e36f093db34a611d71bf7ccf081a32d91b62316dd6ce5005fd1fd66dc1e1af0dece

Download Submit
C:\Users\Admin\AppData8044.exe

Filesize
184KB

MD5
00f5b6264f3e0d5c9b4a3a18b01b2f8c

SHA1
843b87de720623235afa098e177fd4eb0e8a3ff7

SHA256
632d313f2ed7dd601fb7010db83a75da1411d785b7bbc8194b94801373c149ef

SHA512
9373c0af180b522d312fb9356e3f8e5b7a23ee65ee333cce540cb746b434d599a6146b51ed4f294aa304b5c004b25a4491759139244c8d1ea976301629e8046f

Download Submit
C:\Users\Admin\AppData8976.exe

Filesize
184KB

MD5
1bffbf5994e2191f9f86b7babfc3b216

SHA1
134a5d532cae8013cf33a57239de06b854cd419e

SHA256
15a9991b722396ba3ea61446804a3e0c8af4f4fb0cfb0418976c68ef133740fb

SHA512
3a5462200ce6d382f3f7c4e2ffed7edbe6c79813ab628ff7f4c5b28aa03db57fc7ccfff7d7d310fbe88cf0e31f8cb92b4667fbd31cb253d51a9747638b8c640b

Download Submit
C:\Users\Admin\AppData\Local16739.exe

Filesize
184KB

MD5
d38891822671c8725611edb1db5992ac

SHA1
36b114fca429224eb1efee4f4170ddf562f56fe7

SHA256
385cd3e5c329ed80d12ae6323a302bb5be50402b0904c600e57154bc5a888a29

SHA512
9016bca00064ec6363cf8d2afe0362951209494647756f28ab1c4056a889cf78cc5ca937210f2b51feaa2d313182686c1e13b426ef2293b068ff17148681fda8

Download Submit
C:\Users\Admin\AppData\Local35355.exe

Filesize
184KB

MD5
b96862dfd85ea162700defe921181050

SHA1
240ce9f6964eeaacb47f54319b8fa4d2d7621a9b

SHA256
1bd752e1c6243dce1cdb21f7aa0fa4aaea29744c37a4d681dd65df5fc5e2f48f

SHA512
d0c575c643df4b874e7e5b048af9ee91cdf3d7dca7cfcaae6d8cbe527b48815662a5d299753a15105a6c3f54120c3654aa8f03100283844408741cc8fba562d5

Download Submit
C:\Users\Admin\AppData\Local36211.exe

Filesize
184KB

MD5
32a92a09a0e59dbb5f3600efbb68591d

SHA1
f6984afd7e8f2f48d41e78b36a67e0ba67ca2d8a

SHA256
570539708e333623e90d008e2ef2b5ad32b58738653091e744e0bea11d080184

SHA512
b50e1f355d124dc2b458bddec2af84d557404eaef72bc5eba693a137d7e6a12e774bae3b9ed726702ebb498e12066d6c50f6c7f16e8ca75a4267be80914e3873

Download Submit
C:\Users\Admin\AppData\Local38363.exe

Filesize
184KB

MD5
0e6894cde0daad27648b35f878041be8

SHA1
43f176838d81714c5fa143fe31220d789a90250f

SHA256
65a825f288a541a48434d0756e294523cf5519aeb4fe0d643b3503ae4e19e0a6

SHA512
6ac7ca602884364fd8ac4182f17ab3fd91138839b3fae5fba00ef10ab269b1271032324833d15351651338b37d5b0ac2eb500da254efcd1ce388659f98556cd5

Download Submit
C:\Users\Admin\AppData\Local41485.exe

Filesize
184KB

MD5
8f030edcdfcca529327c9900dfcc06e7

SHA1
549433ab25fd09dba8f7d64238e8e3e90e7caf50

SHA256
04d3f3895c376c155c80a2a621d421f9dc720903d53240cc44f53396a088b84e

SHA512
0be150b40043e9ab754edb327d9bae24fa20d88d351a1f1c8ea12fecbcb89ec011b89bd53cb5fe036dce3ad0e7e7bdfb3b796ec5679861ee46f9d07f45a92b21

Download Submit
C:\Users\Admin\AppData\Local49101.exe

Filesize
184KB

MD5
49979e53bdceeb69d81372684f5b2fdd

SHA1
910dc362e558cb90a201744c14356190dfb0af53

SHA256
0afe572e76ab0dc1d15a3fd1c92543ecfd44dacd1bf18da9ad3f009c26bf026c

SHA512
2cc27c04a0d9e5910a73deed119e6f2f6d5f613756f35395378a22ca94953ea501f7f1b506c5ee56a62bea4a65adab9acb339543a9095bc1e23ce29e5b730467

Download Submit
C:\Users\Admin\AppData\Local50068.exe

Filesize
184KB

MD5
04226ee5aff8313e858080d11706fb8c

SHA1
f42425fdbb24a967e9d84870503a62f66bb102ea

SHA256
ae71e82bf0958151148cf35b659e27862d5e57d9bf94c2e243de6b233712bdcf

SHA512
c457f33bd3a172b6b48064517d581dc61614a80ad99b73e6e21d27fa1e76766c6cfb0d201d4a7593ae191a1217fe544fbe593d5cac7532b05e74f6eca7e5b9e2

Download Submit
C:\Users\Admin\AppData\Local51917.exe

Filesize
184KB

MD5
1cb076e6031fc809216df455e6c39afb

SHA1
de9bbb601f29c528a9683836c4626a2f3cbb3974

SHA256
a667ecf510839c42997740d5360bcc0b998fbd51b68ced5bebe8b0d333592331

SHA512
e870488acc0c50cfa62f46e866d574e343a41e7163ceefdc0ff1ca8de2244ff779f6fc46fc2fc5587f92c55e8eef99ed636ab26c5dee71325168c06e0bd83882

Download Submit
C:\Users\Admin\AppData\Local62676.exe

Filesize
184KB

MD5
e1c6288e5e1d7f1e58a5f790f7d9f8de

SHA1
281973f36d1fbfeaedb67d2a24697e374cd739b3

SHA256
d62877af799e6fed8f16c726f64cb69220020a9819308a4e7db56879ddb16d57

SHA512
76c7f7a9c22643078588df967d20e49b0e458f6df0a52206a9f9a76c9ff96358617c3ec7cea997fcd3398685153c5664397853a99dbb83ab777d3ff88f7978d4

Download Submit
C:\Users\Admin\AppData\Local64717.exe

Filesize
184KB

MD5
9365a9f38e827a9be97ab81d3bbca178

SHA1
d28e50a7da4012a5d34a75ea378bc92c25d62280

SHA256
a582f5e2868ae6b0c8df77b9e7c5b7d3d159dd60ab8c98d3ee2782bedc55d74e

SHA512
6fbf9c46f5d1715314956e259a47632ef4f72bdd323f18c1bc52f35adb0d7514e3980c448b68eb32548be916b232cb883afe6819e7e8d41a7428170d481b1094

Download Submit
C:\Users\Admin\AppData\Local\Temp29555.exe

Filesize
184KB

MD5
523b9ab28f64ccff40bc3b4d923e68f4

SHA1
c1cdc4a876cb3a71484643682371f2b0e74c7d28

SHA256
c603e3559db80b1c9be33d08adc7ef7426443eed8a2b81bf3547daf8985d9c85

SHA512
f453aebf34c975974ef7b90877be36e11951db8f92190626f096c0155b0dc1f6633f0821199adecb314c03687efde61ade29368a083a7a0af4e96e1384d2f07c

Download Submit
C:\Users\Admin\AppData\Local\Temp4044.exe

Filesize
184KB

MD5
1dd841d9edac6f8f95d18f9b00dd5030

SHA1
10f1a5ea3aabca2a53a172c7e92d8bfd3efdc65f

SHA256
277587e85bb40c0fd570bde343432bfb0725d7e81abd14233e6eba087f728cac

SHA512
d5d203095fd78b7bca91253050f478a0acbf556f8aee568cd30543ffcf3628b1037b73abbc9d3a663c4178be4f1791fb6fb0aa4e81ed0bd7b4f1dc5925d91cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp49947.exe

Filesize
184KB

MD5
2eda26b2485eb3f07a775b19978278f9

SHA1
9a60d32abebe2303b3d172caeb363804013d947e

SHA256
97816f90f52855080a1e9ba1bb8628f712965ea1d692c6266c6828a96ee71229

SHA512
5d66e271f673d91794523c649e8224953e94c91325041b23c2dbdc430c1a05d38830826688caa6eab602f789f1079d694ea6a9b99bed3498f2d73ca3da7665f1

Download Submit
C:\Users\Admin\AppData\Local\Temp58433.exe

Filesize
184KB

MD5
40935ca13d5422deb50d0b8865394ab1

SHA1
182a51e6869403da2e582de618a5064f2fff521e

SHA256
8a8567dfc11c7898d19334d0afb6216a695435d6bbcf7f19745448ad05dd6f4f

SHA512
77a5254050e16010d6d9d245fa107495a8f1cd3a2c21afa3e978452c0c9a46b33928dd7c28f0be62bf6bfa6bc1b7c790c68626897157a60a1673ebce7b019c34

Download Submit
C:\Users\Admin\AppData\Local\Temp8266.exe

Filesize
184KB

MD5
f1980e4f741b85d5899775e768befbfc

SHA1
3cb863a38ffcdf98ea6eabcfa305bd12dc67bc1e

SHA256
327d178784b8ca635d8d7b47650a46913948ebdcb1fa62cb2735b2cf1695c662

SHA512
3a8101b68f555d8fcea868ed0815b84a12cfa9a281c697461282069c90f43dd1e4def37478b8c54c65d960bfe8c075a57e307b785794874f3a50afe3c982187e

Download Submit
memory/6976-3193-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download