hxxps://youtube[.]com

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adwcleaner_8.3.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adwcleaner_8.3.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adwcleaner_8.3.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adwcleaner_8.3.1.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	opera.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	winzip26-p003.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
2248	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
2248	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
2248	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
2376	cmd.exe
2388	cmd.exe
2376	cmd.exe
2388	cmd.exe
2292	cmd.exe
1388	cmd.exe
2284	cmd.exe
2376	conhost.exe
2684	cmd.exe
1616	cmd.exe
2572	chrome.exe
2408	driverpack-wget.exe
2312	cmd.exe
2396	cmd.exe
1912	driverpack-wget.exe
2060	cmd.exe
740	conhost.exe
2428	driverpack-wget.exe
1952	cmd.exe
2616	cmd.exe
2572	chrome.exe
2580	driverpack-wget.exe
2604	cmd.exe
2676	cmd.exe
740	conhost.exe
2436	chrome.exe
2408	driverpack-wget.exe
2740	cmd.exe
1792	conhost.exe
2872	cmd.exe
2604	cmd.exe
972	chrome.exe
2452	cmd.exe
1816	cmd.exe
2232	cmd.exe
1480	driverpack-wget.exe
1636	cmd.exe
2896	conhost.exe
2436	chrome.exe
2396	cmd.exe
2348	driverpack-wget.exe
1816	cmd.exe
2892	cmd.exe
2212	cmd.exe
924	opera.exe
1644	chrome.exe
1720	driverpack-wget.exe
960	cmd.exe
2572	chrome.exe
2284	cmd.exe
1980	WmiApSrv.exe
2108	cmd.exe
1388	chrome.exe
2596	cmd.exe
2212	cmd.exe
2292	cmd.exe
2284	cmd.exe
1792	conhost.exe
1540	cmd.exe
924	opera.exe
1816	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RunDLL32.Exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion = "C:\\Program Files (x86)\\Lavasoft\\Web Companion\\Application\\WebCompanion.exe --minimize "	WebCompanion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinZip UN = "\"C:\\Program Files\\WinZip\\WZUpdateNotifier.exe\" -show"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\MediaGet2 = "C:\\Users\\Admin\\MediaGet2\\mediaget.exe --minimized"	mediaget.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SearcherBar = "\"C:\\Windows\\system32\\mshta.exe\" \"C:\\SearcherBar\\run.hta\""	conhost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\DriverPack-Alice = "C:\\Users\\Admin\\AppData\\Roaming\\DRPSu\\Alice\\DriverPackAssistant.exe"	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinZip FAH = "C:\\Program Files\\WinZip\\FAHConsole.exe"	msiexec.exe

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	mshta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\AVAST Software\Avast	mediaget_installer_456.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast\Version	mediaget_installer_456.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	mediaget_installer_456.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Avira	mediaget_installer_456.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira	mediaget_installer_456.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	mshta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winzip64.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	winzip64.exe
File opened for modification	C:\Users\Public\desktop.ini	winzip64.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	winzip64.exe

Enumerates connected drives 3 TTPs 54 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\I:	winzip26-p003.exe
File opened (read-only)	\??\K:	winzip26-p003.exe
File opened (read-only)	\??\N:	winzip26-p003.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	winzip26-p003.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	winzip26-p003.exe
File opened (read-only)	\??\U:	winzip26-p003.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	winzip26-p003.exe
File opened (read-only)	\??\D:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\D:	opera_binst.exe
File opened (read-only)	\??\X:	winzip26-p003.exe
File opened (read-only)	\??\G:	winzip26-p003.exe
File opened (read-only)	\??\L:	winzip26-p003.exe
File opened (read-only)	\??\M:	winzip26-p003.exe
File opened (read-only)	\??\V:	winzip26-p003.exe
File opened (read-only)	\??\W:	winzip26-p003.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\D:	cmd.exe
File opened (read-only)	\??\S:	winzip26-p003.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	winzip26-p003.exe
File opened (read-only)	\??\P:	winzip26-p003.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	winzip26-p003.exe
File opened (read-only)	\??\A:	winzip26-p003.exe
File opened (read-only)	\??\H:	winzip26-p003.exe
File opened (read-only)	\??\Z:	winzip26-p003.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	winzip26-p003.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	winzip26-p003.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	winzip26-p003.exe
File opened (read-only)	\??\D:	OperaXP.exe
File opened (read-only)	\??\D:	OperaXP.exe
File opened (read-only)	\??\O:	winzip26-p003.exe
File opened (read-only)	\??\D:	installer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2951	api.ipify.org
6068	api.ipify.org

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\d3dx10.dll	xcopy.exe
File opened for modification	C:\Windows\SysWow64\x3daudio1_0.dll	xcopy.exe
File opened for modification	C:\Windows\System32\D3DCompiler_36.dll	xcopy.exe
File opened for modification	C:\Windows\System32\d3dcsx_42.dll	xcopy.exe
File created	C:\Windows\SysWow64\xactengine2_0.dll	xcopy.exe
File created	C:\Windows\SysWOW64\MSVCP70.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\comct232.ocx	compact.exe
File opened for modification	C:\Windows\SysWOW64\libssl-1_1.dll	compact.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	MsiExec.exe
File opened for modification	C:\Windows\System32\d3dx10_37.dll	xcopy.exe
File created	C:\Windows\SysWOW64\libssl-1_1.dll	cmd.exe
File created	C:\Windows\System32\D3DX9_37.dll	xcopy.exe
File created	C:\Windows\System32\XAudio2_3.dll	xcopy.exe
File created	C:\Windows\SysWow64\D3DCompiler_39.dll	xcopy.exe
File opened for modification	C:\Windows\SysWow64\d3dx9_29.dll	xcopy.exe
File created	C:\Windows\System32\D3DCompiler_35.dll	xcopy.exe
File created	C:\Windows\System32\d3dx9_36.dll	xcopy.exe
File created	C:\Windows\System32\D3DCompiler_43.dll	xcopy.exe
File created	C:\Windows\SysWOW64\MFC71u.dll	cmd.exe
File opened for modification	C:\Windows\SysWow64\xactengine2_6.dll	xcopy.exe
File opened for modification	C:\Windows\SysWow64\xinput1_2.dll	xcopy.exe
File created	C:\Windows\SysWOW64\MFC71ITA.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\tabctl32.ocx	compact.exe
File created	C:\Windows\System32\xactengine2_2.dll	xcopy.exe
File created	C:\Windows\SysWow64\D3DCompiler_37.dll	xcopy.exe
File opened for modification	C:\Windows\SysWow64\D3DCompiler_41.dll	xcopy.exe
File created	C:\Windows\SysWow64\d3dx10_39.dll	xcopy.exe
File created	C:\Windows\System32\d3dx9_34.dll	xcopy.exe
File opened for modification	C:\Windows\SysWow64\D3DCompiler_34.dll	xcopy.exe
File opened for modification	C:\Windows\System32\D3DX9_40.dll	xcopy.exe
File opened for modification	C:\Windows\System32\XAudio2_3.dll	xcopy.exe
File created	C:\Windows\SysWow64\XAudio2_6.dll	xcopy.exe
File created	C:\Windows\SysWOW64\atl70.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\MFC71ESP.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\mfc70fra.dll	compact.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	net_updater32.exe
File created	C:\Windows\System32\d3dx9_30.dll	xcopy.exe
File created	C:\Windows\System32\x3daudio1_0.dll	xcopy.exe
File opened for modification	C:\Windows\System32\x3daudio1_1.dll	xcopy.exe
File created	C:\Windows\SysWow64\d3dx10_40.dll	xcopy.exe
File created	C:\Windows\SysWOW64\MFC71ESP.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\comct332.ocx	compact.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	net_svc.exe
File created	C:\Windows\System32\d3dx9_26.dll	xcopy.exe
File opened for modification	C:\Windows\SysWow64\XAPOFX1_5.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\msvcr70.dll	compact.exe
File opened for modification	C:\Windows\System32\XAudio2_4.dll	xcopy.exe
File created	C:\Windows\SysWOW64\sysinfo.ocx	cmd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17	net_updater32.exe
File created	C:\Windows\System32\XAudio2_0.dll	xcopy.exe
File opened for modification	C:\Windows\SysWOW64\msstdfmt.dll	cmd.exe
File opened for modification	C:\Windows\system32\libssl-1_1-x64.dll	cmd.exe
File created	C:\Windows\SysWOW64\MFC71KOR.DLL	cmd.exe
File created	C:\Windows\SysWOW64\mscomm32.ocx	cmd.exe
File created	C:\Windows\System32\xactengine3_1.dll	xcopy.exe
File opened for modification	C:\Windows\System32\XAPOFX1_4.dll	xcopy.exe
File created	C:\Windows\SysWow64\xactengine2_7.dll	xcopy.exe
File created	C:\Windows\SysWow64\xactengine3_0.dll	xcopy.exe
File created	C:\Windows\SysWOW64\MFC71CHT.DLL	cmd.exe
File created	C:\Windows\SysWOW64\msstdfmt.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt10.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Vb40032.dll	compact.exe
File opened for modification	C:\Windows\System32\d3dx10_38.dll	xcopy.exe
File opened for modification	C:\Windows\System32\d3dx9_30.dll	xcopy.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DriverPack\img\charms\arrow.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\installation\icon-install.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\onboarding-new\reliability-2.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\languages\bg.js	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File opened for modification	C:\Program Files (x86)\DriverPack\audio\en\STORIES-why-free-3.mp3	explorer.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddcihttp.dll	WebCompanionInstaller.exe
File created	C:\Program Files\WinZip\Microsoft.Office.Interop.Excel.dll	msiexec.exe
File created	C:\Program Files\WinZip\en-US\WzAddonsManager64.exe.mui	msiexec.exe
File created	C:\Program Files\WinZip\ja-JP\WzS4DELManager64.dll.mui	msiexec.exe
File created	C:\Program Files\WinZip\WzWXFytb64.dll	msiexec.exe
File opened for modification	C:\Program Files\WinZip\{8DB87D64-EFF7-4983-8922-6CFF5E5f360F}.bgt	MsiExec.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Interop.LavasoftTcpServiceLib.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files\WinZip\ja-JP\MediaFireService.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\DriverPack\css\fonts\Roboto\roboto-thin-webfont.eot	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\screens\move-to-top_arrow.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\screens\startscreen-slider-oval-yellow-hover.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\audio\en\WAITING-2.mp3	driverpack-wget.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-crt-heap-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci.sys	WebCompanionInstaller.exe
File created	C:\Program Files\WinZip\SQLite.Interop.dll	msiexec.exe
File created	C:\Program Files (x86)\DriverPack\img\device-class\tvtuner.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\audio\en\STORIES-false-positive-3.mp3	driverpack-wget.exe
File created	C:\Program Files (x86)\DriverPack\img\new-ui-assistant\screens\bad-review.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_install_boot.cmd	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\DriverPack\img\wifi-disabled.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files\WinZip\en-US\UnInstall64.exe.mui	msiexec.exe
File opened for modification	C:\Program Files\WinZip\wztutor.gid	winzip64.exe
File created	C:\Program Files (x86)\DriverPack\img\installation\drivers\other.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\audio\en\STORIES-why-free-11.mp3	chrome.exe
File created	C:\Program Files\WinZip\ja-JP\CloudStoragePicker.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\DriverPack\img\onboarding\cleaning.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File opened for modification	C:\Program Files (x86)\DriverPack\audio\en\EXPERT-DIAGNOSTICS-4.mp3	driverpack-wget.exe
File opened for modification	C:\Program Files (x86)\DriverPack\audio\en\STORIES-technologies-10.mp3	driverpack-wget.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\sav.dll	WebCompanionInstaller.exe
File created	C:\Program Files\WinZip\WzPreloader.exe.config	msiexec.exe
File created	C:\Program Files (x86)\DriverPack\img\onboarding\likes\down.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\onboarding-new\istart.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\bddci_install.cmd	WebCompanionInstaller.exe
File created	C:\Program Files\WinZip\en-US\WXFP2D.resources.dll	msiexec.exe
File created	C:\Program Files\WinZip\ja-JP\MYE-MAIL.WJF	msiexec.exe
File opened for modification	C:\Program Files\WinZip\winzip.gid	winzip64.exe
File created	C:\Program Files (x86)\DriverPack\img\device-class\new-ui\tvtuner.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\installation\drivers\restore_point.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\screens\checkbox.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File opened for modification	C:\Program Files (x86)\DriverPack\audio\en\EXPERT-CONFIGURATOR-2.mp3	conhost.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd	WebCompanionInstaller.exe
File created	C:\Program Files\WinZip\ja-JP\WinZip64.exe.mui	msiexec.exe
File created	C:\Program Files (x86)\DriverPack\css\fonts\ProximaNova\proxima_nova_light-webfont.svg	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\device-class\cardreader.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\onboarding-new\second-browser-opera.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\screens\configurator-loader.gif	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\languages\en.js	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File opened for modification	C:\Program Files (x86)\DriverPack\audio\en\ISTART_1.mp3	opera.exe
File created	C:\Program Files (x86)\DriverPack\audio\en\STORIES-why-free-9.mp3	driverpack-wget.exe
File opened for modification	C:\Program Files (x86)\DriverPack\audio\en\FINAL-2.mp3	compact.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\api-ms-win-core-memory-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\Win32\DCIService.exe	WebCompanionInstaller.exe
File created	C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\api-ms-win-crt-time-l1-1-0.dll	WebCompanionInstaller.exe
File created	C:\Program Files\WinZip\en-US\WXFWMRK.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\DriverPack\img\charms\computer.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\img\device-class\new-ui\default.png	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
File created	C:\Program Files (x86)\DriverPack\languages\ar.js	DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35	xcopy.exe
File opened for modification	C:\Windows\Installer\MSI78A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4E6.tmp	msiexec.exe
File created	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll	xcopy.exe
File opened for modification	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll	xcopy.exe
File opened for modification	C:\Windows\Installer\MSI3D43.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3DX.xml	xcopy.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2904.0\Microsoft.DirectX.Direct3DX.dll	xcopy.exe
File opened for modification	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2905.0	xcopy.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2906.0\Microsoft.DirectX.Direct3DX.dll	xcopy.exe
File opened for modification	C:\Windows\Installer\MSIA36E.tmp	msiexec.exe
File created	C:\Windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini	xcopy.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll	xcopy.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35	xcopy.exe
File opened for modification	C:\Windows\Installer\MSI2CF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A60.tmp	msiexec.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35	xcopy.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI212D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.dll	xcopy.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.xml	xcopy.exe
File opened for modification	C:\Windows\Installer\MSI7AA4.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2909.0	xcopy.exe
File opened for modification	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.dll	xcopy.exe
File opened for modification	C:\Windows\WIN.INI	winzip64.exe
File created	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\__AssemblyInfo__.ini	xcopy.exe
File opened for modification	C:\Windows\Microsoft.NET\DirectX for Managed Code	xcopy.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectInput.dll	xcopy.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll	xcopy.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanion.exe
File opened for modification	C:\Windows\Installer\f86fc5b.ipi	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	WebCompanionInstaller.exe
File created	C:\Windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C2413B}\PdfUtilStub64_Shortcut_StartMenu.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C2413B}\SbkupStub64_ShortCut_StartMenu.exe	msiexec.exe
File created	C:\Windows\Installer\f86fc5d.msi	msiexec.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini	xcopy.exe
File created	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\__AssemblyInfo__.ini	xcopy.exe
File created	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll	xcopy.exe
File opened for modification	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2905.0\Microsoft.DirectX.Direct3DX.xml	xcopy.exe
File opened for modification	C:\Windows\Installer\MSI29CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C2413B}\WinZip64_Shortcut_StartMenu.exe	msiexec.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll	xcopy.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll	xcopy.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2903.0\Microsoft.DirectX.Direct3DX.dll	xcopy.exe
File created	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll	xcopy.exe
File opened for modification	C:\Windows\Installer\MSI7A72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7A83.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C2413B}\PdfUtil64_Shortcut_Desktop.exe	msiexec.exe
File created	C:\Windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C2413B}\SbkupStub64_ShortCut_StartMenu.exe	msiexec.exe
File created	C:\Windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll	xcopy.exe
File created	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.xml	xcopy.exe
File opened for modification	C:\Windows\System32	xcopy.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35	xcopy.exe
File opened for modification	C:\Windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll	xcopy.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	Lavasoft.WCAssistant.WinService.exe
File opened for modification	C:\Windows\Installer\MSI7593.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C2413B}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.DirectSound	xcopy.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini	xcopy.exe
File opened for modification	C:\Windows\Installer\MSI2FC6.tmp	msiexec.exe
File opened for modification	C:\Windows\SysWow64	xcopy.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI2DA1.tmp	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1056	schtasks.exe
1924	schtasks.exe
2992	schtasks.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	opera.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	opera.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\AlternateCLSID = "{CEDFFAFD-3C2F-4552-9FD3-3DC4299057FD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0ECD9B64-23AA-11D0-B351-00A0C9055D8E}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	mediaget_installer_456.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53749718-F78D-4A67-8703-8AE050075170}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}\AlternateCLSID = "{962F28D6-107D-47A5-9515-2864454CFDD1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\AlternateCLSID = "{8F0F480A-4366-4737-8265-2AD6FDAC8C31}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\International\CpMRU	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6D835690-900B-11D0-9484-00A0C91110ED}\AlternateCLSID = "{7E96FC67-468E-4E70-B246-D42078DD2361}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0ECD9B64-23AA-11D0-B351-00A0C9055D8E}\AlternateCLSID = "{D8C1B55B-12DC-457F-97EC-4B84305FAA13}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C932BA85-4374-101B-A56C-00AA003668DC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8A-9D6A-101B-AFC0-4210102A8DA7}\AlternateCLSID = "{80B51087-CE4C-4FAE-8401-B6B3809DD234}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{026371C0-1B7C-11CF-9D53-00AA003C9CB6}\AlternateCLSID = "{2BEC8FA8-1193-4A15-B8AF-C6DF6E6930C7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{612A8624-0FB3-11CE-8747-524153480004}\AlternateCLSID = "{29D5EC7E-6245-4DC9-9E53-A9A945AD4ABB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\AlternateCLSID = "{3D8152C1-0CFD-4968-9684-794046886E31}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1906F94F-8256-480A-8CDF-60821592CB4B}\AlternateCLSID = "{3D8152C1-0CFD-4968-9684-794046886E31}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1E216240-1B7D-11CF-9D53-00AA003C9CB6}\AlternateCLSID = "{261399BF-4DBC-4731-B79F-EF8871D7CB36}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = a403000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = a403000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FAEEE760-117E-101B-8933-08002B2F4F5A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FAEEE760-117E-101B-8933-08002B2F4F5A}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CDE57A43-8B86-11D0-B3C6-00A0C90AEA82}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E8F8E80F-02EB-44CC-ABB5-6E5132BA6B24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1E216240-1B7D-11CF-9D53-00AA003C9CB6}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\AlternateCLSID = "{4D588145-A84B-4100-85D7-FD2EA1D19831}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{39977C62-C383-463D-AF61-C71220634656}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\winzip64.exe = "8000"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9ED94440-E5E8-101B-B9B5-444553540000}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F0D2F219-CCB0-11D0-A316-00AA00688B10}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F0D2F21C-CCB0-11D0-A316-00AA00688B10}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{53749718-F78D-4A67-8703-8AE050075170}\AlternateCLSID = "{25A3C2C9-8F6E-4140-BEF3-535D4B9709D8}"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{373FF7F0-EB8B-11CD-8820-08002B2F4F5A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{44E266A2-CD46-47A0-9ED5-EEEC5F0C2A6E}\AlternateCLSID = "{703EAF2B-FD9F-41BC-BB81-6C6757A46E5E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{97992019-74A6-46C7-9CA3-7F8C0D39940B}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\Common	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Nico Mak Computing\Common\Update Notifier\UpdtMgr000	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\fm\.IMG = "0"	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	net_updater32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Corel\PCU\7 = "E622AB708075"	winzip64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-4c-68-35-43-1f\WpadDecision = "0"	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\WXF\WzAddropocts	WzCABCacheSyncHelper64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\PowerPoint	adxregistrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\WXF\WzWXFnas	WzCABCacheSyncHelper64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\programs	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\wzshlext\AddToFolder = "1"	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	winzip64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{994BB288-D7E9-48FC-AB3B-10D94CE0554E}\WpadDecisionTime = 30a55f17cb04d801	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office	adxregistrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\Common\Email	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	net_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	net_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\LanguageList = 6a0061002d004a00500000006a006100000065006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\WXF\	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\WXF\WzWXFcldme\Default\WritableRootFolder = "\\"	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\winzip\DefaultTypeZipX = "0"	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\PowerPoint\AddIns	adxregistrator.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	net_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Lavasoft.WCAssistant.WinService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP 検疫強制クライアント"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\WinZip Computing	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{994BB288-D7E9-48FC-AB3B-10D94CE0554E}\WpadNetworkName = "ネットワーク 2"	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Excel	adxregistrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	net_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Lavasoft.WCAssistant.WinService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\fm\.ISO = "0"	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\PowerPoint\AddIns\WinZipExpressForOffice.AddinModule	adxregistrator.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\WXF\WzWXFgtalk	WzCABCacheSyncHelper64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	net_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	net_updater32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\fm\.TZ = "1"	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\wzshlext\CommentCheckOther = "1"	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\wzshlext\ShellExtensionSubMenu = "1"	winzip64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Nico Mak Computing\WinZip\Splitter\TreePane = "0,0,0,0"	winzip64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-4c-68-35-43-1f\WpadDecisionReason = "1"	winzip64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	net_updater32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Lavasoft.WCAssistant.WinService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ISO\shell\Print\ = "ファイルリストの印刷(&P)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CB2B673F-D441-4CD4-AFBE-DC4037CA4220}\InprocServer32\3.5.14535.0\CodeBase = "file:///C:/Program Files/WinZip/WinZipExpressForOffice.DLL"	adxregistrator.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\.shtml\OpenWithProgIDs\OperaStable = "0"	installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\ = "Microsoft TreeView Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\ = "AsyncProperty"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinZip.JobFile\shell\Edit	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{962F28D6-107D-47A5-9515-2864454CFDD1}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\ = "Microsoft MonthView Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\CurVer\ = "TabDlg.SSTab.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinZip.ZipX\AppUserModelID = "WinZipComputing.WinZip64"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\http\shell\open\ddeexec\Application	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{58DA8D95-9D6A-101B-AFC0-4210102A8DA7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D0E0AA20-3082-11CF-AEBE-00AA00A8F7F3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE387538-44A3-11D1-B5B7-0000C09000C4}\TypeLib\ = "{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ACBB958-5C57-11CF-8993-00AA00688B10}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0713E451-850A-101B-AFC0-4210102A8DA7}\ = "IButtons10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74DD2713-BA98-4D10-A16E-270BBEB9B555}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27395F85-0C0C-101B-A3C9-08002B2F49FB}\Version\ = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.XXE	WzPreviewer64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wzcloud\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877890-E026-11CF-8E74-00A0C90F26F8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{603C7E7F-87C2-11D1-8BE3-0000F8754DA1}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\TypeLib\Version = "5.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSFlexGridLib.MSFlexGrid.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.TXZ\ = "WinZip"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0713E8D2-850A-101B-AFC0-4210102A8DA7}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.Animation.2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.ImageListCtrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wjf\WinZip.JobFile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5522DAF9-06D6-11D2-8D70-00A0C98B28E2}\ = "_Bands"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF877894-E026-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.4"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.1\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27395F85-0C0C-101B-A3C9-08002B2F49FB}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{612A8626-0FB3-11CE-8747-524153480004}\TypeLib\ = "{6B7E6392-850A-101B-AFC0-4210102A8DA7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{979127D3-7D01-4FDE-AF65-A698091468AF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CD1B0C0-1B7D-11CF-9D53-00AA003C9CB6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{261399BF-4DBC-4731-B79F-EF8871D7CB36}\MiscStatus	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1138472b-d187-44e9-81f2-ae1b0e7785f1}\InProcServer32\ThreadingModel = "Both"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED117630-4090-11CF-8981-00AA00688B10}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B09DE713-87C1-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{27395F87-0C0C-101B-A3C9-08002B2F49FB}\TypeLib\ = "{27395F88-0C0C-101B-A3C9-08002B2F49FB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{979127D3-7D01-4FDE-AF65-A698091468AF}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27395F85-0C0C-101B-A3C9-08002B2F49FB}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\mediagettorrentfile\DefaultIcon\ = "\"C:\\Users\\Admin\\MediaGet2\\mediaget.exe\",0"	mediaget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.FlatScrollBar\CLSID\ = "{CFA7636D-CAA1-4F18-868F-8720624C8B86}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373FF7F4-EB8B-11CD-8820-08002B2F4F5A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\VersionIndependentProgID\ = "MSComctlLib.ListViewCtrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA665-8594-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6FBA474B-43AC-11CE-9A0E-00AA0062BB4C}\MiscStatus\1\ = "148881"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\InprocServer32	regsvr32.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181181900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	net_updater32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	net_updater32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	net_updater32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	net_updater32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	net_updater32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	winzip26-p003.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	winzip26-p003.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\MediaGet2\Luminati-m\lum_sdk_session_id:LUM:$DATA	net_updater32.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3896	regedit.exe
4368	regedit.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
792	PING.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3878	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	187	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3873	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3875	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4928	mediaget.exe
5336	adwcleaner_8.3.1.exe
2504	adwcleaner_8.3.1.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
892	net_updater32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1088	chrome.exe
1740	chrome.exe
1740	chrome.exe
2440	chrome.exe
2848	chrome.exe
2892	chrome.exe
2488	chrome.exe
916	chrome.exe
2980	chrome.exe
1740	chrome.exe
1740	chrome.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2480	chrome.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 10 IoCs

pid	Process
1968	mshta.exe
2328	taskmgr.exe
4928	mediaget.exe
552	taskmgr.exe
4132	taskmgr.exe
2404	taskmgr.exe
1740	chrome.exe
1408	Explorer.EXE
5336	adwcleaner_8.3.1.exe
2504	adwcleaner_8.3.1.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1968	mshta.exe
Token: SeIncBasePriorityPrivilege	1968	mshta.exe
Token: SeDebugPrivilege	2328	taskmgr.exe
Token: SeDebugPrivilege	4492	net_updater32.exe
Token: SeDebugPrivilege	3016	luminati-m-controller.exe
Token: SeDebugPrivilege	5060	net_updater32.exe
Token: SeShutdownPrivilege	5060	net_updater32.exe
Token: SeShutdownPrivilege	5060	net_updater32.exe
Token: SeShutdownPrivilege	1112	net_svc.exe
Token: SeShutdownPrivilege	1112	net_svc.exe
Token: SeShutdownPrivilege	5060	net_updater32.exe
Token: SeShutdownPrivilege	5060	net_updater32.exe
Token: SeDebugPrivilege	552	taskmgr.exe
Token: SeDebugPrivilege	2784	net_updater32.exe
Token: SeShutdownPrivilege	2784	net_updater32.exe
Token: SeDebugPrivilege	4132	taskmgr.exe
Token: SeDebugPrivilege	1908	net_updater32.exe
Token: SeShutdownPrivilege	1908	net_updater32.exe
Token: SeDebugPrivilege	2404	taskmgr.exe
Token: SeDebugPrivilege	4024	net_updater32.exe
Token: SeShutdownPrivilege	4024	net_updater32.exe
Token: SeDebugPrivilege	2924	WebCompanionInstaller.exe
Token: SeRestorePrivilege	4108	RunDLL32.Exe
Token: SeRestorePrivilege	4108	RunDLL32.Exe
Token: SeRestorePrivilege	4108	RunDLL32.Exe
Token: SeRestorePrivilege	4108	RunDLL32.Exe
Token: SeRestorePrivilege	4108	RunDLL32.Exe
Token: SeRestorePrivilege	4108	RunDLL32.Exe
Token: SeRestorePrivilege	4108	RunDLL32.Exe
Token: SeDebugPrivilege	2760	WebCompanion.exe
Token: SeDebugPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeAssignPrimaryTokenPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeIncreaseQuotaPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeSecurityPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeTakeOwnershipPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeLoadDriverPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemtimePrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeBackupPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeRestorePrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeShutdownPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeSystemEnvironmentPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeUndockPrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeManageVolumePrivilege	4816	Lavasoft.WCAssistant.WinService.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeSecurityPrivilege	3676	msiexec.exe
Token: SeCreateTokenPrivilege	2212	winzip26-p003.exe
Token: SeAssignPrimaryTokenPrivilege	2212	winzip26-p003.exe
Token: SeLockMemoryPrivilege	2212	winzip26-p003.exe
Token: SeIncreaseQuotaPrivilege	2212	winzip26-p003.exe
Token: SeMachineAccountPrivilege	2212	winzip26-p003.exe
Token: SeTcbPrivilege	2212	winzip26-p003.exe
Token: SeSecurityPrivilege	2212	winzip26-p003.exe
Token: SeTakeOwnershipPrivilege	2212	winzip26-p003.exe
Token: SeLoadDriverPrivilege	2212	winzip26-p003.exe
Token: SeSystemProfilePrivilege	2212	winzip26-p003.exe
Token: SeSystemtimePrivilege	2212	winzip26-p003.exe
Token: SeProfSingleProcessPrivilege	2212	winzip26-p003.exe
Token: SeIncBasePriorityPrivilege	2212	winzip26-p003.exe
Token: SeCreatePagefilePrivilege	2212	winzip26-p003.exe
Token: SeCreatePermanentPrivilege	2212	winzip26-p003.exe
Token: SeBackupPrivilege	2212	winzip26-p003.exe
Token: SeRestorePrivilege	2212	winzip26-p003.exe
Token: SeShutdownPrivilege	2212	winzip26-p003.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious use of SetWindowsHookAW 1 IoCs

pid	Process
4044	winzip64.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4216	mediaget_installer_456.exe
4216	mediaget_installer_456.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe
4928	mediaget.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 656	1740	chrome.exe	27
PID 1740 wrote to memory of 656	1740	chrome.exe	27
PID 1740 wrote to memory of 656	1740	chrome.exe	27
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 364	1740	chrome.exe	28
PID 1740 wrote to memory of 1088	1740	chrome.exe	29
PID 1740 wrote to memory of 1088	1740	chrome.exe	29
PID 1740 wrote to memory of 1088	1740	chrome.exe	29
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30
PID 1740 wrote to memory of 1092	1740	chrome.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62d4f50,0x7fef62d4f60,0x7fef62d4f70
    3⤵
    PID:656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
    3⤵
    PID:364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1328 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1716 /prefetch:8
    3⤵
    PID:1092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
    3⤵
    PID:992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
    3⤵
    PID:1636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2276 /prefetch:2
    3⤵
    PID:800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
    3⤵
    PID:1784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:1176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:2060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:2068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3408 /prefetch:8
    3⤵
    PID:2080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
    3⤵
    PID:2244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:8
    3⤵
    PID:2236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:8
    3⤵
    PID:2256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    PID:2356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
    3⤵
    PID:2396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
    3⤵
    PID:2448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4416 /prefetch:8
    3⤵
    PID:2456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
    3⤵
    PID:2528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:8
    3⤵
    PID:2520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
    3⤵
    PID:2636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
    3⤵
    PID:2628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
    3⤵
    PID:2700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
    3⤵
    PID:2760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 /prefetch:8
    3⤵
    PID:2988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 /prefetch:8
    3⤵
    PID:2996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 /prefetch:8
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 /prefetch:8
    3⤵
    PID:2164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2408 /prefetch:8
    3⤵
    PID:2172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:8
    3⤵
    PID:2244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:8
    3⤵
    PID:2320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:8
    3⤵
    PID:2364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3104 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=764 /prefetch:1
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3420 /prefetch:8
    3⤵
    PID:2540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=964 /prefetch:1
    3⤵
    PID:2736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4376 /prefetch:8
    3⤵
    PID:2784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3980 /prefetch:8
    3⤵
    PID:2792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:2876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4024 /prefetch:8
    3⤵
    PID:2168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4376 /prefetch:8
    3⤵
    PID:2084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2980
- - C:\Users\Admin\Downloads\DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe
    "C:\Users\Admin\Downloads\DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\DriverPack\start.bat" "DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe""
      4⤵
      PID:2116
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\DriverPack\run.hta" --sfx "DriverPack-17-Online_1012066879.1641671226__mg4zwr1bli7w3yb.exe"
        5⤵
        Blocklisted process makes network request
        Adds Run key to start application
        Checks for any installed AV software in registry
        Modifies Internet Explorer settings
        Modifies system certificate store
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 kernel32,Sleep
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_71517.txt""
        6⤵
        
        PID:964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall delete rule name="DriverPack aria2c.exe"
        7⤵
        
        PID:1104
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Program Files (x86)\DriverPack\tools\aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_38174.txt""
        6⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Program Files (x86)\DriverPack\tools\aria2c.exe"
        7⤵
        
        PID:3032
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/START-INITIAL-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_33095.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_33095.txt""
        6⤵
        Loads dropped DLL
        
        PID:2388
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/START-INITIAL-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_33095.log"
        7⤵
        Executes dropped EXE
        
        PID:864
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/START-LOADED-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_78944.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_78944.txt""
        6⤵
        Loads dropped DLL
        
        PID:1388
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/START-LOADED-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_78944.log"
        7⤵
        Executes dropped EXE
        
        PID:2252
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/START-SETUP-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_96395.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_96395.txt""
        6⤵
        Loads dropped DLL
        
        PID:2292
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/START-SETUP-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_96395.log"
        7⤵
        Executes dropped EXE
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/intro.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_96403.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_96403.txt""
        6⤵
        Loads dropped DLL
        
        PID:2376
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/intro.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_96403.log"
        7⤵
        Executes dropped EXE
        
        PID:1480
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start wscsvc
        6⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start wscsvc
        7⤵
        
        PID:2684
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" start wscsvc
        6⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start wscsvc
        7⤵
        
        PID:740
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_82723.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_82723.txt""
        6⤵
        
        PID:2284
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_82723.log"
        7⤵
        
        PID:1332
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_14675.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_14675.txt""
        6⤵
        
        PID:2376
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_14675.log"
        7⤵
        Executes dropped EXE
        
        PID:2880
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_22175.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_22175.txt""
        6⤵
        Loads dropped DLL
        
        PID:2684
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_22175.log"
        7⤵
        Executes dropped EXE
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_27607.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_27607.txt""
        6⤵
        Loads dropped DLL
        
        PID:1616
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_27607.log"
        7⤵
        Executes dropped EXE
        
        PID:2276
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_86443.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_86443.txt""
        6⤵
        
        PID:2572
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_86443.log"
        7⤵
        
        PID:2568
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_48083.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_48083.txt""
        6⤵
        
        PID:2396
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_48083.log"
        7⤵
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_57282.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_57282.txt""
        6⤵
        Loads dropped DLL
        
        PID:2312
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_57282.log"
        7⤵
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_57059.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_57059.txt""
        6⤵
        
        PID:2408
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_57059.log"
        7⤵
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_54064.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_54064.txt""
        6⤵
        
        PID:1912
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_54064.log"
        7⤵
        
        PID:2328
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_73643.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_73643.txt""
        6⤵
        
        PID:2428
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_73643.log"
        7⤵
        Executes dropped EXE
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_52481.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_52481.txt""
        6⤵
        Loads dropped DLL
        
        PID:2060
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_52481.log"
        7⤵
        Executes dropped EXE
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_44118.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_44118.txt""
        6⤵
        
        PID:740
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_44118.log"
        7⤵
        
        PID:1480
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_40110.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_40110.txt""
        6⤵
        Loads dropped DLL
        
        PID:1952
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_40110.log"
        7⤵
        Executes dropped EXE
        
        PID:2612
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_56565.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_56565.txt""
        6⤵
        Loads dropped DLL
        
        PID:2616
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_56565.log"
        7⤵
        
        PID:1540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_46326.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_46326.txt""
        6⤵
        
        PID:2572
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DRIVERS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_46326.log"
        7⤵
        Executes dropped EXE
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROGRAMS_CHECKBOX_USED-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_63453.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_63453.txt""
        6⤵
        
        PID:2580
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROGRAMS_CHECKBOX_USED-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_63453.log"
        7⤵
        
        PID:636
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROGRAMS_CHECKBOX_USED-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_21236.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_21236.txt""
        6⤵
        
        PID:2604
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROGRAMS_CHECKBOX_USED-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_21236.log"
        7⤵
        Executes dropped EXE
        
        PID:2540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROTECT-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_90989.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_90989.txt""
        6⤵
        
        PID:740
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROTECT-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_90989.log"
        7⤵
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROTECT-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_33360.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_33360.txt""
        6⤵
        Loads dropped DLL
        
        PID:2676
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROTECT-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_33360.log"
        7⤵
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROTECT-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_87734.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_87734.txt""
        6⤵
        
        PID:2436
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-PROTECT-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_87734.log"
        7⤵
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_67012.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_67012.txt""
        6⤵
        
        PID:2408
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_67012.log"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_84494.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_84494.txt""
        6⤵
        
        PID:1792
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_84494.log"
        7⤵
        Executes dropped EXE
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_83356.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_83356.txt""
        6⤵
        Loads dropped DLL
        
        PID:2740
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_83356.log"
        7⤵
        Executes dropped EXE
        
        PID:2824
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_92375.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_92375.txt""
        6⤵
        Loads dropped DLL
        
        PID:2604
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_92375.log"
        7⤵
        
        PID:924
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_46873.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_46873.txt""
        6⤵
        Loads dropped DLL
        
        PID:2872
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_46873.log"
        7⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_50439.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_50439.txt""
        6⤵
        
        PID:972
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-DIAGNOSTICS-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_50439.log"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1912
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-CONFIGURATOR-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64658.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_64658.txt""
        6⤵
        Loads dropped DLL
        
        PID:2452
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-CONFIGURATOR-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64658.log"
        7⤵
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-CONFIGURATOR-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_36097.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_36097.txt""
        6⤵
        Loads dropped DLL
        
        PID:2232
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-CONFIGURATOR-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_36097.log"
        7⤵
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-CONFIGURATOR-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_16591.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_16591.txt""
        6⤵
        
        PID:1816
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-CONFIGURATOR-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_16591.log"
        7⤵
        
        PID:2652
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-SETTINGS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_38768.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_38768.txt""
        6⤵
        
        PID:1480
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/EXPERT-SETTINGS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_38768.log"
        7⤵
        Executes dropped EXE
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_76066.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_76066.txt""
        6⤵
        Loads dropped DLL
        
        PID:1636
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_76066.log"
        7⤵
        Executes dropped EXE
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_24846.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_24846.txt""
        6⤵
        
        PID:2896
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_24846.log"
        7⤵
        Executes dropped EXE
        
        PID:692
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_97756.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_97756.txt""
        6⤵
        
        PID:2436
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/TEAM-PROOF-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_97756.log"
        7⤵
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_12292.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_12292.txt""
        6⤵
        Loads dropped DLL
        
        PID:2396
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_12292.log"
        7⤵
        
        PID:2652
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_11682.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_11682.txt""
        6⤵
        
        PID:2348
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_11682.log"
        7⤵
        
        PID:1792
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_98286.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_98286.txt""
        6⤵
        
        PID:1816
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CONTINUOUS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_98286.log"
        7⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_13151.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_13151.txt""
        6⤵
        Loads dropped DLL
        
        PID:2892
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_13151.log"
        7⤵
        
        PID:1848
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_48913.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_48913.txt""
        6⤵
        
        PID:924
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_48913.log"
        7⤵
        Executes dropped EXE
        
        PID:2240
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_25489.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_25489.txt""
        6⤵
        
        PID:2212
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ANTIVIRUS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_25489.log"
        7⤵
        
        PID:972
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/COMPILATION-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79096.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_79096.txt""
        6⤵
        
        PID:1720
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/COMPILATION-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79096.log"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2428
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/COMPILATION-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_74802.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_74802.txt""
        6⤵
        
        PID:1644
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/COMPILATION-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_74802.log"
        7⤵
        
        PID:972
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/COMPILATION-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_94572.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_94572.txt""
        6⤵
        
        PID:960
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/COMPILATION-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_94572.log"
        7⤵
        Executes dropped EXE
        
        PID:2168
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/SERVICE_MODE-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_45379.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_45379.txt""
        6⤵
        
        PID:2284
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/SERVICE_MODE-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_45379.log"
        7⤵
        
        PID:2652
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/SERVICE_MODE-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_17611.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_17611.txt""
        6⤵
        
        PID:2572
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/SERVICE_MODE-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_17611.log"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_62009.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_62009.txt""
        6⤵
        
        PID:1980
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_62009.log"
        7⤵
        
        PID:924
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_81626.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_81626.txt""
        6⤵
        Loads dropped DLL
        
        PID:2108
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_81626.log"
        7⤵
        
        PID:2896
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_22170.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_22170.txt""
        6⤵
        
        PID:1388
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_22170.log"
        7⤵
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_4043.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_4043.txt""
        6⤵
        Loads dropped DLL
        
        PID:2596
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/ISTART_4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_4043.log"
        7⤵
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/WAITING-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_19002.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_19002.txt""
        6⤵
        Loads dropped DLL
        
        PID:2212
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/WAITING-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_19002.log"
        7⤵
        
        PID:2352
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/WAITING-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_96562.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_96562.txt""
        6⤵
        
        PID:2292
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/WAITING-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_96562.log"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:2408
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/DRIVERS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_87281.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_87281.txt""
        6⤵
        Loads dropped DLL
        
        PID:2284
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/DRIVERS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_87281.log"
        7⤵
        Executes dropped EXE
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/DRIVERS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_86544.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_86544.txt""
        6⤵
        
        PID:1792
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/DRIVERS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_86544.log"
        7⤵
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FIREFOX_1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_67966.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_67966.txt""
        6⤵
        Blocklisted process makes network request
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1540
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FIREFOX_1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_67966.log"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1720
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FIREFOX_2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_35210.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_35210.txt""
        6⤵
        Loads dropped DLL
        
        PID:1816
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FIREFOX_2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_35210.log"
        7⤵
        Executes dropped EXE
        
        PID:744
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FIREFOX_3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_90299.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_90299.txt""
        6⤵
        
        PID:924
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FIREFOX_3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_90299.log"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1480
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FIREFOX_4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_73830.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_73830.txt""
        6⤵
        
        PID:1644
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FIREFOX_4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_73830.log"
        7⤵
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/UTILS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_22429.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_22429.txt""
        6⤵
        
        PID:1744
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/UTILS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_22429.log"
        7⤵
        Executes dropped EXE
        
        PID:2384
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/UTILS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_34935.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_34935.txt""
        6⤵
        
        PID:956
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/UTILS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_34935.log"
        7⤵
        Executes dropped EXE
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/RELIABILITY-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_63599.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_63599.txt""
        6⤵
        
        PID:2364
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/RELIABILITY-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_63599.log"
        7⤵
        Executes dropped EXE
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/RELIABILITY-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_50401.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_50401.txt""
        6⤵
        Loads dropped DLL
        
        PID:2292
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/RELIABILITY-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_50401.log"
        7⤵
        
        PID:2928
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/RELIABILITY-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_62530.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_62530.txt""
        6⤵
        
        PID:1924
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/RELIABILITY-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_62530.log"
        7⤵
        
        PID:2572
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CHECKING-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_31735.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_31735.txt""
        6⤵
        
        PID:3020
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CHECKING-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_31735.log"
        7⤵
        
        PID:2636
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CHECKING-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_98840.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_98840.txt""
        6⤵
        
        PID:3036
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/CHECKING-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_98840.log"
        7⤵
        
        PID:972
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/REVIEWS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_33564.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_33564.txt""
        6⤵
        Blocklisted process makes network request
        Executes dropped EXE
        
        PID:636
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/REVIEWS-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_33564.log"
        7⤵
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/REVIEWS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_32479.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_32479.txt""
        6⤵
        
        PID:960
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/REVIEWS-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_32479.log"
        7⤵
        
        PID:2904
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-all-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64373.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_64373.txt""
        6⤵
        
        PID:1792
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-all-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64373.log"
        7⤵
        Executes dropped EXE
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_61704.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_61704.txt""
        6⤵
        
        PID:2208
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_61704.log"
        7⤵
        
        PID:1068
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_23316.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_23316.txt""
        6⤵
        
        PID:2572
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_23316.log"
        7⤵
        
        PID:3108
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_86415.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_86415.txt""
        6⤵
        
        PID:2552
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_86415.log"
        7⤵
        
        PID:3156
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_30471.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_30471.txt""
        6⤵
        
        PID:3092
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_30471.log"
        7⤵
        
        PID:3168
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_46764.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_46764.txt""
        6⤵
        
        PID:3080
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_46764.log"
        7⤵
        
        PID:3192
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-10.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_70692.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_70692.txt""
        6⤵
        
        PID:3276
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-10.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_70692.log"
        7⤵
        
        PID:3340
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-9.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_65197.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_65197.txt""
        6⤵
        
        PID:3296
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-9.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_65197.log"
        7⤵
        
        PID:3404
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-8.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_96378.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_96378.txt""
        6⤵
        
        PID:3328
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-8.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_96378.log"
        7⤵
        
        PID:3444
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_4695.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_4695.txt""
        6⤵
        
        PID:3368
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-adout-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_4695.log"
        7⤵
        
        PID:3424
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_68015.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_68015.txt""
        6⤵
        
        PID:3508
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_68015.log"
        7⤵
        
        PID:3572
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_21163.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_21163.txt""
        6⤵
        
        PID:3520
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_21163.log"
        7⤵
        
        PID:3596
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_76026.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_76026.txt""
        6⤵
        
        PID:3560
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_76026.log"
        7⤵
        
        PID:3684
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_91283.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_91283.txt""
        6⤵
        
        PID:3608
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_91283.log"
        7⤵
        
        PID:3696
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_23146.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_23146.txt""
        6⤵
        
        PID:3632
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_23146.log"
        7⤵
        
        PID:3704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-18.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_20462.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_20462.txt""
        6⤵
        
        PID:3780
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-18.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_20462.log"
        7⤵
        
        PID:3908
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-17.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79171.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_79171.txt""
        6⤵
        
        PID:3808
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-17.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79171.log"
        7⤵
        
        PID:3900
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-16.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64446.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_64446.txt""
        6⤵
        
        PID:3832
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-16.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64446.log"
        7⤵
        
        PID:3956
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-15.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_91676.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_91676.txt""
        6⤵
        
        PID:3868
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-15.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_91676.log"
        7⤵
        
        PID:3964
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-14.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_43303.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_43303.txt""
        6⤵
        
        PID:3888
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-14.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_43303.log"
        7⤵
        
        PID:3972
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-13.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64757.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_64757.txt""
        6⤵
        
        PID:4064
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-13.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64757.log"
        7⤵
        
        PID:3136
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-12.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_13264.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_13264.txt""
        6⤵
        
        PID:4088
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-12.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_13264.log"
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-11.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_5913.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_5913.txt""
        6⤵
        
        PID:3124
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-11.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_5913.log"
        7⤵
        
        PID:3224
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-10.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_71311.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_71311.txt""
        6⤵
        
        PID:3076
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-10.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_71311.log"
        7⤵
        Drops file in Program Files directory
        
        PID:1924
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-9.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_26581.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_26581.txt""
        6⤵
        
        PID:1068
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-9.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_26581.log"
        7⤵
        
        PID:3172
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-8.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_36023.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_36023.txt""
        6⤵
        
        PID:3380
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-8.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_36023.log"
        7⤵
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_57625.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_57625.txt""
        6⤵
        
        PID:3448
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_57625.log"
        7⤵
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_98145.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_98145.txt""
        6⤵
        
        PID:3404
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-technologies-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_98145.log"
        7⤵
        
        PID:972
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64348.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_64348.txt""
        6⤵
        
        PID:3616
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_64348.log"
        7⤵
        
        PID:3632
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_62643.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_62643.txt""
        6⤵
        
        PID:3512
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_62643.log"
        7⤵
        
        PID:3680
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_14021.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_14021.txt""
        6⤵
        
        PID:3692
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_14021.log"
        7⤵
        
        PID:3724
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_24643.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_24643.txt""
        6⤵
        
        PID:3740
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_24643.log"
        7⤵
        
        PID:3608
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_8797.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_8797.txt""
        6⤵
        
        PID:3556
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_8797.log"
        7⤵
        
        PID:2760
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-15.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_99203.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_99203.txt""
        6⤵
        
        PID:2904
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-15.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_99203.log"
        7⤵
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-14.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_59783.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_59783.txt""
        6⤵
        Loads dropped DLL
        
        PID:960
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-14.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_59783.log"
        7⤵
        
        PID:3804
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-10.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_41683.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_41683.txt""
        6⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-10.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_41683.log"
        7⤵
        
        PID:3792
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-11.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_2969.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_2969.txt""
        6⤵
        Checks computer location settings
        
        PID:2148
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-11.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_2969.log"
        7⤵
        
        PID:3928
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-9.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79744.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_79744.txt""
        6⤵
        
        PID:3828
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-9.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79744.log"
        7⤵
        Drops file in Program Files directory
        
        PID:3992
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-8.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_73969.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_73969.txt""
        6⤵
        
        PID:3856
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-8.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_73969.log"
        7⤵
        
        PID:3868
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_75589.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_75589.txt""
        6⤵
        
        PID:3784
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_75589.log"
        7⤵
        
        PID:3836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_42886.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_42886.txt""
        6⤵
        
        PID:3924
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-why-free-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_42886.log"
        7⤵
        
        PID:4048
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_45646.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_45646.txt""
        6⤵
        
        PID:2084
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_45646.log"
        7⤵
        
        PID:3120
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_4006.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_4006.txt""
        6⤵
        Blocklisted process makes network request
        Executes dropped EXE
        
        PID:1564
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_4006.log"
        7⤵
        
        PID:1620
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_14388.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_14388.txt""
        6⤵
        
        PID:4064
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_14388.log"
        7⤵
        Drops file in Program Files directory
        
        PID:3176
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_91555.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_91555.txt""
        6⤵
        
        PID:2552
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_91555.log"
        7⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_62437.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_62437.txt""
        6⤵
        
        PID:4088
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_62437.log"
        7⤵
        
        PID:3300
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-13.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79155.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_79155.txt""
        6⤵
        
        PID:2960
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-13.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79155.log"
        7⤵
        
        PID:3544
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-10.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_45958.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_45958.txt""
        6⤵
        
        PID:3400
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-10.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_45958.log"
        7⤵
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-9.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_75192.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_75192.txt""
        6⤵
        
        PID:3428
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-9.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_75192.log"
        7⤵
        
        PID:3620
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-12.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_2805.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_2805.txt""
        6⤵
        
        PID:3412
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-12.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_2805.log"
        7⤵
        
        PID:968
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-8.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_65455.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_65455.txt""
        6⤵
        
        PID:3644
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-8.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_65455.log"
        7⤵
        
        PID:3676
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_19636.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_19636.txt""
        6⤵
        
        PID:3572
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_19636.log"
        7⤵
        
        PID:3744
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_27559.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_27559.txt""
        6⤵
        
        PID:3508
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-false-positive-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_27559.log"
        7⤵
        
        PID:2172
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_7435.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_7435.txt""
        6⤵
        
        PID:2104
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_7435.log"
        7⤵
        
        PID:820
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_92719.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_92719.txt""
        6⤵
        
        PID:1048
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_92719.log"
        7⤵
        
        PID:2584
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_76949.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_76949.txt""
        6⤵
        
        PID:2916
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_76949.log"
        7⤵
        
        PID:3976
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_38886.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_38886.txt""
        6⤵
        
        PID:3808
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_38886.log"
        7⤵
        
        PID:3772
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_89836.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_89836.txt""
        6⤵
        
        PID:3928
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_89836.log"
        7⤵
        
        PID:3952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_16136.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_16136.txt""
        6⤵
        
        PID:3896
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-drivers-7.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_16136.log"
        7⤵
        
        PID:3968
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_36562.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_36562.txt""
        6⤵
        
        PID:3140
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_36562.log"
        7⤵
        
        PID:3168
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_51849.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_51849.txt""
        6⤵
        
        PID:3036
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_51849.log"
        7⤵
        
        PID:3200
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_52202.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_52202.txt""
        6⤵
        
        PID:2532
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-3.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_52202.log"
        7⤵
        
        PID:3532
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_22680.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_22680.txt""
        6⤵
        
        PID:276
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-4.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_22680.log"
        7⤵
        
        PID:3328
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79625.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_79625.txt""
        6⤵
        
        PID:3124
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-5.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_79625.log"
        7⤵
        
        PID:3460
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_13446.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_13446.txt""
        6⤵
        
        PID:3676
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/STORIES-vpn-6.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_13446.log"
        7⤵
        
        PID:3492
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/REBOOT-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_38871.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_38871.txt""
        6⤵
        
        PID:3612
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/REBOOT-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_38871.log"
        7⤵
        
        PID:3708
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FINAL-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_41758.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_41758.txt""
        6⤵
        
        PID:1908
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FINAL-1.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_41758.log"
        7⤵
        
        PID:3952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FINAL-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_32073.log" & echo DONE > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_finished_32073.txt""
        6⤵
        
        PID:3772
        
        C:\Program Files (x86)\DriverPack\tools\driverpack-wget.exe
        
        "tools\driverpack-wget.exe" --tries=3 --timeout 5 --retry-connrefused --wait=5 --timestamping --directory-prefix="C:\Program Files (x86)\DriverPack\audio\en" "http://dl.driverpack.io/assistant/beetle/audio/en/FINAL-2.mp3" -o "C:\Users\Admin\AppData\Roaming\DRPSu\temp\wget_log_32073.log"
        7⤵
        
        PID:3928
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 kernel32,Sleep
        6⤵
        
        PID:4500
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/OperaXP.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_72966.txt""
        6⤵
        
        PID:4732
        
        C:\Program Files (x86)\DriverPack\tools\aria2c.exe
        
        "tools\aria2c.exe" "http://dl.driverpack.io/soft/OperaXP.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120
        7⤵
        
        PID:4996
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/Chrone.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_50271.txt""
        6⤵
        
        PID:3952
        
        C:\Program Files (x86)\DriverPack\tools\aria2c.exe
        
        "tools\aria2c.exe" "http://dl.driverpack.io/soft/Chrone.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120
        7⤵
        
        PID:4176
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/tools/DriverPack-Alice.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_42202.txt""
        6⤵
        Checks computer location settings
        
        PID:3340
        
        C:\Program Files (x86)\DriverPack\tools\aria2c.exe
        
        "tools\aria2c.exe" "http://dl.driverpack.io/tools/DriverPack-Alice.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120
        7⤵
        
        PID:3776
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/DirectX.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_99096.txt""
        6⤵
        
        PID:2508
        
        C:\Program Files (x86)\DriverPack\tools\aria2c.exe
        
        "tools\aria2c.exe" "http://dl.driverpack.io/soft/DirectX.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120
        7⤵
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/SearcherBar.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_28557.txt""
        6⤵
        
        PID:3300
        
        C:\Program Files (x86)\DriverPack\tools\aria2c.exe
        
        "tools\aria2c.exe" "http://dl.driverpack.io/soft/SearcherBar.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120
        7⤵
        
        PID:3408
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/RuntimePack.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_6481.txt""
        6⤵
        
        PID:2800
        
        C:\Program Files (x86)\DriverPack\tools\aria2c.exe
        
        "tools\aria2c.exe" "http://dl.driverpack.io/soft/RuntimePack.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120
        7⤵
        
        PID:2828
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DriverPack-Alice.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\installing_92039.txt""
        6⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DriverPack-Alice.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DriverPack-Alice.exe"
        7⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""tools\aria2c.exe" "http://dl.driverpack.io/soft/DotNetXP.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120 || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\run_command_76507.txt""
        6⤵
        
        PID:2052
        
        C:\Program Files (x86)\DriverPack\tools\aria2c.exe
        
        "tools\aria2c.exe" "http://dl.driverpack.io/soft/DotNetXP.exe.torrent" --dir="C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS" --quiet --continue --min-split-size=1M --follow-torrent=true --check-integrity --seed-time=0 --bt-stop-timeout=120
        7⤵
        
        PID:5068
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\Chrone.exe" /S || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\installing_55036.txt""
        6⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\Chrone.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\Chrone.exe" /S
        7⤵
        
        PID:3708
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\SearcherBar.exe" /S || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\installing_93732.txt""
        6⤵
        Enumerates connected drives
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\SearcherBar.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\SearcherBar.exe" /S
        7⤵
        
        PID:3652
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DirectX.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\installing_93824.txt""
        6⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DirectX.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DirectX.exe"
        7⤵
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\set_x64.cmd" "
        8⤵
        
        PID:1728
        
        C:\Windows\system32\xcopy.exe
        
        xcopy x64\GAC C:\Windows\assembly\GAC /s /e /i /y
        9⤵
        Drops file in Windows directory
        
        PID:3000
        
        C:\Windows\system32\xcopy.exe
        
        xcopy x64\Microsoft.NET C:\Windows\Microsoft.NET /s /e /i /y
        9⤵
        Drops file in Windows directory
        
        PID:2260
        
        C:\Windows\system32\xcopy.exe
        
        xcopy x64\System32 C:\Windows\System32 /s /e /i /y
        9⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2212
        
        C:\Windows\system32\xcopy.exe
        
        xcopy x64\SysWow64 C:\Windows\SysWow64 /s /e /i /y
        9⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1548
        
        C:\Windows\regedit.exe
        
        regedit /s x64\64bit.reg
        9⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:3896
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\OperaXP.exe" -install -silent -launchopera=1 -setdefaultbrowser=1 || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\installing_791.txt""
        6⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\OperaXP.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\OperaXP.exe" -install -silent -launchopera=1 -setdefaultbrowser=1
        7⤵
        Enumerates connected drives
        
        PID:4412
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\OperaXP.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\OperaXP.exe" -install -silent -launchopera=1 -setdefaultbrowser=1 --crash-reporter-parent-id=4412
        8⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\OperaXP.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\OperaXP.exe" --backend --silent --install --import-browser-data=1 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=ja --singleprofile=0 --copyonly=0 --allusers=1 --setdefaultbrowser=1 --startmenushortcut=1 --desktopshortcut=1 --quicklaunchshortcut=0 --pintotaskbar=1 --server-tracking-data=server_tracking_data --initial-pid=4412 --crash-reporter-pid=956 --wait-for-package="C:\Users\Admin\AppData\Local\Temp\Opera Installer\opera_installer_20220108195631" --initial-proc-handle=90010000
        8⤵
        Enumerates connected drives
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Opera Installer\opera_installer_20220108195631\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Opera Installer\opera_installer_20220108195631\installer.exe" --backend --silent --initial-pid=4412 --install --import-browser-data=1 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=ja --singleprofile=0 --copyonly=0 --allusers=1 --setdefaultbrowser=1 --startmenushortcut=1 --desktopshortcut=1 --quicklaunchshortcut=0 --pintotaskbar=1 --server-tracking-data=server_tracking_data --crash-reporter-pid=956
        9⤵
        Checks computer location settings
        Enumerates connected drives
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --start-maximized
        10⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera.exe" --start-maximized --ran-launcher
        11⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera_crashreporter.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera_crashreporter.exe" --start-maximized --ran-launcher --crash-reporter-parent-id=3368
        12⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\Opera Installer\OperaXP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Opera Installer\OperaXP.exe" --version
        8⤵
        
        PID:2576
      - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="DriverPack-Alice" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\DRPSu\Alice\cloud.exe"
        6⤵
        
        PID:4656
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DotNetXP.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\installing_96599.txt""
        6⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DotNetXP.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\DotNetXP.exe"
        7⤵
        
        PID:1460
        
        C:\Windows\TEMP\NET\WinPKG.exe
        
        C:\Windows\TEMP\NET\WinPKG.exe
        8⤵
        
        PID:3940
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\RuntimePack.exe" -s || echo Done & call echo Done %^errorLevel% > "C:\Users\Admin\AppData\Roaming\DRPSu\temp\installing_15400.txt""
        6⤵
        Checks computer location settings
        
        PID:3400
        
        C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\RuntimePack.exe
        
        "C:\Users\Admin\AppData\Roaming\DRPSu\PROGRAMS\RuntimePack.exe" -s
        7⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" -s "
        8⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\comct232.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\comct332.ocx"
        9⤵
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\comctl32.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\comdlg32.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\dblist32.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\mci32.ocx"
        9⤵
        Modifies Internet Explorer settings
        
        PID:2580
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\mscomct2.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\mscomctl.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\mscomm32.ocx"
        9⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\msdatgrd.ocx"
        9⤵
        Modifies Internet Explorer settings
        
        PID:4652
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\msdatlst.ocx"
        9⤵
        Modifies Internet Explorer settings
        
        PID:3888
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\msflxgrd.ocx"
        9⤵
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\mshflxgd.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\msinet.ocx"
        9⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\msmask32.ocx"
        9⤵
        Modifies Internet Explorer settings
        
        PID:3560
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\msstdfmt.dll"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\msstkprp.dll"
        9⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\mswinsck.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\picclp32.ocx"
        9⤵
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\richtx32.ocx"
        9⤵
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\sysinfo.ocx"
        9⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\tabctl32.ocx"
        9⤵
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /S "C:\Windows\System32\msvbvm50.dll"
        9⤵
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit.exe /s VBA60_OCX_License.reg
        9⤵
        Runs .reg file with regedit
        
        PID:4368
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\Sysnative\libcrypto-1_1-x64.dll"
        9⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\Sysnative\libssl-1_1-x64.dll"
        9⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\Sysnative\OpenAL32.dll"
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\Sysnative\wrap_oal.dll"
        9⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\atl70.dll"
        9⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\atl71.dll"
        9⤵
        
        PID:796
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\comct232.ocx"
        9⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\comct332.ocx"
        9⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\comctl32.ocx"
        9⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\comdlg32.ocx"
        9⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\dblist32.ocx"
        9⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\libcrypto-1_1.dll"
        9⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\libeay32.dll"
        9⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\libssl-1_1.dll"
        9⤵
        Drops file in System32 directory
        
        PID:4208
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mci32.ocx"
        9⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70.dll"
        9⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70chs.dll"
        9⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70cht.dll"
        9⤵
        
        PID:832
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70deu.dll"
        9⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70enu.dll"
        9⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70esp.dll"
        9⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70fra.dll"
        9⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70ita.dll"
        9⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70jpn.dll"
        9⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70kor.dll"
        9⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mfc70u.dll"
        9⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71.dll"
        9⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71CHS.DLL"
        9⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71CHT.DLL"
        9⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71DEU.DLL"
        9⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71ENU.DLL"
        9⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71ESP.DLL"
        9⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71FRA.DLL"
        9⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71ITA.DLL"
        9⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71JPN.DLL"
        9⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71KOR.DLL"
        9⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MFC71u.dll"
        9⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mscomct2.ocx"
        9⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mscomctl.ocx"
        9⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mscomm32.ocx"
        9⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msdatgrd.ocx"
        9⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msdatlst.ocx"
        9⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msflxgrd.ocx"
        9⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MShflxgd.ocx"
        9⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msinet.ocx"
        9⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msmask32.ocx"
        9⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msstdfmt.dll"
        9⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MSSTKPRP.DLL"
        9⤵
        Drops file in Program Files directory
        
        PID:3928
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msvbvm50.dll"
        9⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msvci70.dll"
        9⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\MSVCP70.DLL"
        9⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msvcp71.dll"
        9⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msvcr70.dll"
        9⤵
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msvcr71.dll"
        9⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\msvcrt10.dll"
        9⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\mswinsck.ocx"
        9⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\OpenAL32.dll"
        9⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\picclp32.ocx"
        9⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\richtx32.ocx"
        9⤵
        
        PID:740
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\ssleay32.dll"
        9⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\sysinfo.ocx"
        9⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\tabctl32.ocx"
        9⤵
        Drops file in System32 directory
        
        PID:112
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\Vb40032.dll"
        9⤵
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\wrap_oal.dll"
        9⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\Vb40016.dll"
        9⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\vbrun100.dll"
        9⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\vbrun200.dll"
        9⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\compact.exe
        
        compact.exe /i /c /a /f "C:\Windows\System32\Vbrun300.dll"
        9⤵
        
        PID:4524
      - C:\Windows\SysWOW64\PING.EXE
        
        "C:\Windows\System32\PING.EXE" -n 3 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
    3⤵
    PID:2244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 /prefetch:8
    3⤵
    PID:2784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
    3⤵
    PID:2160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
    3⤵
    PID:3008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    PID:1636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
    3⤵
    PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
    3⤵
    PID:2396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:2316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:8
    3⤵
    PID:2640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
    3⤵
    PID:1388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 /prefetch:8
    3⤵
    PID:2636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
    3⤵
    PID:3056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3064 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:8
    3⤵
    - Loads dropped DLL
    PID:2436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=904 /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
    3⤵
    PID:2944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
    3⤵
    PID:956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:1
    3⤵
    PID:2148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2400 /prefetch:1
    3⤵
    PID:3248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=544 /prefetch:1
    3⤵
    PID:3116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1
    3⤵
    PID:3576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
    3⤵
    PID:2984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
    3⤵
    PID:4080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
    3⤵
    PID:1744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=960 /prefetch:1
    3⤵
    PID:2960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:3496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    - Loads dropped DLL
    PID:1388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3460 /prefetch:8
    3⤵
    PID:2888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=536 /prefetch:1
    3⤵
    PID:3508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
    3⤵
    PID:672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
    3⤵
    PID:2840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
    3⤵
    PID:3040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
    3⤵
    PID:1476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
    3⤵
    PID:2184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
    3⤵
    PID:2464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
    3⤵
    PID:3712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
    3⤵
    - Loads dropped DLL
    PID:2572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
    3⤵
    PID:1632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
    3⤵
    PID:276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
    3⤵
    PID:3372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
    3⤵
    PID:3532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
    3⤵
    PID:3560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
    3⤵
    PID:3352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
    3⤵
    PID:3680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
    3⤵
    PID:2920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
    3⤵
    PID:3320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
    3⤵
    PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
    3⤵
    PID:3400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
    3⤵
    PID:3636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
    3⤵
    PID:3340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
    3⤵
    PID:3412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7248 /prefetch:8
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7516 /prefetch:8
    3⤵
    PID:2484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 /prefetch:8
    3⤵
    PID:4108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7052 /prefetch:8
    3⤵
    PID:4188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7024 /prefetch:8
    3⤵
    PID:4180
- - C:\Users\Admin\Downloads\mediaget_installer_456.exe
    "C:\Users\Admin\Downloads\mediaget_installer_456.exe"
    3⤵
    - Checks for any installed AV software in registry
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\luminati\lum_inst.exe
      "C:\Users\Admin\AppData\Local\Temp\luminati\lum_inst.exe" /verysilent
      4⤵
      PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\is-PQTIM.tmp\lum_inst.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PQTIM.tmp\lum_inst.tmp" /SL5="$1D01AA,2212477,121344,C:\Users\Admin\AppData\Local\Temp\luminati\lum_inst.exe" /verysilent
        5⤵
        
        PID:4464
      - C:\Users\Admin\MediaGet2\Luminati-m\net_updater32.exe
        
        "C:\Users\Admin\MediaGet2\Luminati-m\net_updater32.exe" --install-ui win_mediaget.com --dlg-app-name MediaGet --dlg-tos-link "https://mediaget.com/license" --dlg-benefit-txt "MediaGet (Ad free)" --dlg-logo-link "https://mediaget.com/installer/binaries/mg-icon-400.png" --dlg-not-peer-txt ads --dlg-peer-txt remove_ads
        6⤵
        Modifies system certificate store
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
        
        C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
        7⤵
        
        PID:4576
        
        C:\Users\Admin\MediaGet2\Luminati-m\net_updater32.exe
        
        "C:\Users\Admin\MediaGet2\Luminati-m\net_updater32.exe" --install win_mediaget.com --no-cleanup
        7⤵
        
        PID:4844
  - - C:\Users\Admin\MediaGet2\mediaget.exe
      "C:\Users\Admin\MediaGet2\mediaget.exe" --installer
      4⤵
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:4928
    - - C:\Users\Admin\MediaGet2\mediaget_crashpad_handler.exe
        
        C:\Users\Admin\MediaGet2\mediaget_crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Local\Media Get LLC\MediaGet2\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Local\Media Get LLC\MediaGet2\crashdumps" "--attachment=C:/Users/Admin/AppData/Local/Media Get LLC/MediaGet2/crashdumps/logs/log" "--attachment=C:\Users\Admin\AppData\Local\Media Get LLC\MediaGet2\crashdumps\eafeffd0-2479-4c68-bcc2-5f5e9533cb4c.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Local\Media Get LLC\MediaGet2\crashdumps\eafeffd0-2479-4c68-bcc2-5f5e9533cb4c.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Local\Media Get LLC\MediaGet2\crashdumps\eafeffd0-2479-4c68-bcc2-5f5e9533cb4c.run\__sentry-breadcrumb2" --initial-client-data=0x3b4,0x3b8,0x3bc,0x388,0x3c0,0x70157b7c,0x70157b90,0x70157ba0
        5⤵
        
        PID:5032
    - - C:\Users\Admin\MediaGet2\QtWebEngineProcess.exe
        
        "C:\Users\Admin\MediaGet2\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=ja --service-sandbox-type=network --application-name=MediaGet2 --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=1696 /prefetch:8
        5⤵
        
        PID:2208
    - - C:\Users\Admin\MediaGet2\QtWebEngineProcess.exe
        
        "C:\Users\Admin\MediaGet2\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=ja --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --mojo-platform-channel-handle=2356 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4232
    - - C:\Users\Admin\MediaGet2\QtWebEngineProcess.exe
        
        "C:\Users\Admin\MediaGet2\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=ja --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2424 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:2656
    - - C:\Users\Admin\MediaGet2\QtWebEngineProcess.exe
        
        "C:\Users\Admin\MediaGet2\QtWebEngineProcess.exe" --type=renderer --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=ja --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3028 /prefetch:1
        5⤵
        Checks computer location settings
        
        PID:4788
    - - C:\Users\Admin\MediaGet2\Luminati-m\luminati-m-controller.exe
        
        C:\Users\Admin\MediaGet2\Luminati-m\luminati-m-controller.exe is_switch_on
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
      - C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
        
        C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
        6⤵
        
        PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\opera\opera_binst.exe
      "C:\Users\Admin\AppData\Local\Temp\opera\opera_binst.exe" --silent --allusers=0
      4⤵
      Enumerates connected drives
      PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\opera\opera_binst.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera\opera_binst.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=82.0.4227.43 --initial-client-data=0x190,0x194,0x198,0x164,0x19c,0x65daa558,0x65daa568,0x65daa574
        5⤵
        
        PID:3404
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_binst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_binst.exe" --version
        5⤵
        
        PID:3332
    - - C:\Users\Admin\AppData\Local\Temp\opera\opera_binst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\opera\opera_binst.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=ja --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --server-tracking-data=server_tracking_data --initial-pid=2780 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20220108195033" --session-guid=0d368632-f78f-4721-9b4f-ac03830a6b5c --server-tracking-blob="ZWZlNWZlNTk5NWE0NWI3YzIzNzdiODZmNmJlZjE0N2JhMjI5M2UxNGQ3ZDQwMmNjZTg1NzNjMTRiMTExYzhkZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPW1ndCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249bWd0IiwidGltZXN0YW1wIjoiMTY0MTY3MTQ0My4xNTcwIiwidXNlcmFnZW50IjoibV9pbnN0YWxsZXIiLCJ1dG0iOnsiY2FtcGFpZ24iOiJtZ3QiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJtZ3QifSwidXVpZCI6ImE1MTdhZWVmLTliYmQtNDU4ZC04ZGY4LTIyMWU1MzFiNzY2MCJ9 " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=F402000000000000
        5⤵
        
        PID:3568
      - C:\Users\Admin\AppData\Local\Temp\opera\opera_binst.exe
        
        C:\Users\Admin\AppData\Local\Temp\opera\opera_binst.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=82.0.4227.43 --initial-client-data=0x19c,0x1a0,0x1a4,0x164,0x1a8,0x6542a558,0x6542a568,0x6542a574
        6⤵
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\installer.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\installer.exe" --backend --initial-pid=2780 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=ja --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --pin-additional-shortcuts=1 --server-tracking-data=server_tracking_data --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202201081950331" --session-guid=0d368632-f78f-4721-9b4f-ac03830a6b5c --server-tracking-blob="ZWZlNWZlNTk5NWE0NWI3YzIzNzdiODZmNmJlZjE0N2JhMjI5M2UxNGQ3ZDQwMmNjZTg1NzNjMTRiMTExYzhkZTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPW1ndCZ1dG1fbWVkaXVtPWFwYiZ1dG1fY2FtcGFpZ249bWd0IiwidGltZXN0YW1wIjoiMTY0MTY3MTQ0My4xNTcwIiwidXNlcmFnZW50IjoibV9pbnN0YWxsZXIiLCJ1dG0iOnsiY2FtcGFpZ24iOiJtZ3QiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJtZ3QifSwidXVpZCI6ImE1MTdhZWVmLTliYmQtNDU4ZC04ZGY4LTIyMWU1MzFiNzY2MCJ9 " --silent --desktopshortcut=1 --install-subfolder=82.0.4227.43
        6⤵
        Enumerates connected drives
        Modifies registry class
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\installer.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=82.0.4227.43 --initial-client-data=0x17c,0x180,0x184,0x150,0x188,0x7fef3b6cb48,0x7fef3b6cb58,0x7fef3b6cb68
        7⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe" --start-maximized
        7⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher
        8⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_crashreporter.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=82.0.4227.43 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0xb0a34d0,0xb0a34e0,0xb0a34f0
        9⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --field-trial-handle=928,6686042035897036877,5291368082051793144,131072 --start-stack-profiler --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=932 /prefetch:2
        9⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=928,6686042035897036877,5291368082051793144,131072 --lang=ja --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --mojo-platform-channel-handle=1240 /prefetch:8
        9⤵
        
        PID:2152
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202201081950331\assistant\_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202201081950331\assistant\_sfx.exe"
        5⤵
        
        PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202201081950331\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202201081950331\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:4864
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202201081950331\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202201081950331\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=80.0.4170.40 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x1477c90,0x1477ca0,0x1477cac
        6⤵
        
        PID:2144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
    3⤵
    PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
    3⤵
    PID:4444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:1
    3⤵
    PID:2636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
    3⤵
    PID:3656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
    3⤵
    PID:4972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3796 /prefetch:8
    3⤵
    PID:4668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7220 /prefetch:8
    3⤵
    PID:4120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:8
    3⤵
    PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1544 /prefetch:1
    3⤵
    PID:980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6064 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
    3⤵
    - Drops file in Program Files directory
    PID:3928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
    3⤵
    PID:4276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:8
    3⤵
    PID:4352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1760 /prefetch:8
    3⤵
    PID:4024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
    3⤵
    PID:4416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7220 /prefetch:8
    3⤵
    PID:4120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1732 /prefetch:8
    3⤵
    PID:4288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=624 /prefetch:8
    3⤵
    PID:3332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=912 /prefetch:8
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5264 /prefetch:8
    3⤵
    PID:3040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5448 /prefetch:8
    3⤵
    PID:4704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:8
    3⤵
    PID:3492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
    3⤵
    PID:4652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
    3⤵
    PID:3152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:8
    3⤵
    PID:3708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
    3⤵
    PID:3548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=144 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:3956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
    3⤵
    PID:1644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=146 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
    3⤵
    PID:3092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3624 /prefetch:8
    3⤵
    PID:188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2972 /prefetch:8
    3⤵
    PID:832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
    3⤵
    PID:2744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3460 /prefetch:8
    3⤵
    PID:3944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1544 /prefetch:8
    3⤵
    PID:3804
- - C:\Users\Admin\Downloads\WcInstaller.exe
    "C:\Users\Admin\Downloads\WcInstaller.exe"
    3⤵
    PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\7zS46340B82\WebCompanionInstaller.exe
      .\WebCompanionInstaller.exe --webprotection --partner=newwebsite --version=8.0.0.214
      4⤵
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:2924
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" Create "WCAssistantService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe" DisplayName= "WC Assistant" start= auto
        5⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" failure WCAssistantService reset= 30 actions= restart/60000
        5⤵
        
        PID:4152
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" description "WCAssistantService" "Ad-Aware Web Companion Internet security service"
        5⤵
        
        PID:1624
    - - C:\Windows\system32\RunDLL32.Exe
        
        "C:\Windows\sysnative\RunDLL32.Exe" syssetup,SetupInfObjectInstallAction BootInstall 128 C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bddci.inf
        5⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
      - C:\Windows\system32\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        
        PID:4392
        
        C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:3588
    - - C:\Windows\system32\net.exe
        
        "C:\Windows\sysnative\net.exe" start bddci
        5⤵
        
        PID:2716
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start bddci
        6⤵
        
        PID:4620
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" Create "DCIService" binPath= "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe" DisplayName= "DCIService" start= auto
        5⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" description "DCIService" "Webprotection Bridge service"
        5⤵
        
        PID:4176
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\bridge_start.cmd"
        5⤵
        
        PID:3800
      - C:\Windows\SysWOW64\sc.exe
        
        sc start DCIService
        6⤵
        
        PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
        5⤵
        
        PID:2940
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh http add urlacl url=http://+:9007/ user=Everyone
        6⤵
        
        PID:3556
    - - C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
        
        "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --install --geo=
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ygh6s4gu.cmdline"
        6⤵
        
        PID:4368
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA94B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA94A.tmp"
        7⤵
        
        PID:2108
    - - C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
        
        "C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe" --afterinstall
        5⤵
        Adds Run key to start application
        
        PID:3116
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkg4eiuc.cmdline"
        6⤵
        
        PID:868
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FB2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1FB1.tmp"
        7⤵
        
        PID:2056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=152 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2460 /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=153 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
    3⤵
    PID:4392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6584 /prefetch:8
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 /prefetch:8
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
    3⤵
    PID:3328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:1
    3⤵
    PID:1084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
    3⤵
    PID:1660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=160 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 /prefetch:8
    3⤵
    PID:3256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
    3⤵
    PID:2260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:8
    3⤵
    PID:3028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=164 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:2272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=165 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
    3⤵
    PID:2732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=166 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:2908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=167 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:3816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=168 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
    3⤵
    PID:2096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=169 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=170 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=171 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1500 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=172 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
    3⤵
    PID:3788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=173 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
    3⤵
    PID:3540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=174 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
    3⤵
    PID:3220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=175 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
    3⤵
    PID:2640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=176 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
    3⤵
    PID:4832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=177 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
    3⤵
    PID:3300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=178 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
    3⤵
    PID:840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3392 /prefetch:8
    3⤵
    PID:3328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=180 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
    3⤵
    PID:4340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=181 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
    3⤵
    PID:3728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:8
    3⤵
    PID:4600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=183 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:2024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=184 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
    3⤵
    PID:3412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=185 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
    3⤵
    PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=186 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=187 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:4312
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=188 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:1
    3⤵
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 /prefetch:8
    3⤵
    PID:3548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=190 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
    3⤵
    PID:112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=191 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:3896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=192 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
    3⤵
    PID:1764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=194 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
    3⤵
    PID:2652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=198 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
    3⤵
    PID:2908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=200 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
    3⤵
    PID:3768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=199 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
    3⤵
    PID:2904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=197 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
    3⤵
    PID:2636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=196 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
    3⤵
    PID:1924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=195 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2448 /prefetch:1
    3⤵
    PID:3392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=193 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
    3⤵
    PID:3856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=201 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
    3⤵
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=202 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
    3⤵
    PID:1776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=203 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
    3⤵
    PID:2840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=207 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
    3⤵
    PID:3300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=206 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
    3⤵
    PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=205 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
    3⤵
    PID:1052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=204 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
    3⤵
    PID:2624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7360 /prefetch:8
    3⤵
    PID:5004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6112 /prefetch:8
    3⤵
    PID:5116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:8
    3⤵
    PID:4712
- - C:\Users\Admin\Downloads\winzip26-p003.exe
    "C:\Users\Admin\Downloads\winzip26-p003.exe"
    3⤵
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\f86313e\winzip26-p003.exe
      run=1 shortcut="C:\Users\Admin\Downloads\winzip26-p003.exe"
      4⤵
      Checks computer location settings
      Enumerates connected drives
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7068 /prefetch:8
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3824 /prefetch:8
    3⤵
    PID:4720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=213 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
    3⤵
    PID:4444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=217 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
    3⤵
    PID:1664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=216 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
    3⤵
    PID:3484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=215 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=214 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
    3⤵
    PID:2636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=218 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
    3⤵
    PID:2896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=219 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=220 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
    3⤵
    PID:4580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=221 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
    3⤵
    PID:3952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=222 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
    3⤵
    PID:4796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=223 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
    3⤵
    PID:4920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=224 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
    3⤵
    PID:2292
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=225 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
    3⤵
    PID:2268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=226 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
    3⤵
    PID:1696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=227 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1
    3⤵
    PID:3340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=228 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
    3⤵
    PID:3996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=229 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
    3⤵
    PID:4148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=231 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
    3⤵
    PID:2112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=230 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:1
    3⤵
    PID:2260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=232 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
    3⤵
    PID:1376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=233 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:1992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=234 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
    3⤵
    PID:5432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=236 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
    3⤵
    PID:5520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=237 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:5528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=235 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=238 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8040 /prefetch:1
    3⤵
    PID:5808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=239 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
    3⤵
    PID:5940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=240 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
    3⤵
    PID:5132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=241 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
    3⤵
    PID:5188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=242 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=244 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
    3⤵
    PID:672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=246 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
    3⤵
    PID:2340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=245 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
    3⤵
    PID:4456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,10833995548945514907,6315520201489338686,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=243 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8132 /prefetch:1
    3⤵
    PID:4264
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:2328
- C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --start-maximized --ran-launcher --flag-switches-begin --flag-switches-end --enable-quic --lowered-browser
  2⤵
  - Checks computer location settings
  - Enumerates system info in registry
  PID:3828
- - C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_crashreporter.exe
    C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=82.0.4227.43 --initial-client-data=0x14c,0x150,0x154,0x120,0x158,0x7feda8034d0,0x7feda8034e0,0x7feda8034f0
    3⤵
    PID:3700
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --start-stack-profiler --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 /prefetch:2
    3⤵
    PID:5068
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --service-sandbox-type=none --enable-quic --start-stack-profiler --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --mojo-platform-channel-handle=1256 /prefetch:8
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --service-sandbox-type=utility --enable-quic --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --mojo-platform-channel-handle=1564 /prefetch:8
    3⤵
    PID:4852
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --display-capture-permissions-policy-allowed --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=1980 /prefetch:1
    3⤵
    - Checks computer location settings
    PID:3640
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --display-capture-permissions-policy-allowed --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1988 /prefetch:1
    3⤵
    - Checks computer location settings
    PID:4256
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2216 /prefetch:1
    3⤵
    - Checks computer location settings
    PID:3404
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --service-sandbox-type=service --enable-quic --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --mojo-platform-channel-handle=2248 /prefetch:8
    3⤵
    PID:3604
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --service-sandbox-type=service --enable-quic --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --mojo-platform-channel-handle=2260 /prefetch:8
    3⤵
    PID:4564
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --service-sandbox-type=service --enable-quic --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --mojo-platform-channel-handle=2272 /prefetch:8
    3⤵
    PID:4972
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --service-sandbox-type=service --enable-quic --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --mojo-platform-channel-handle=2284 /prefetch:8
    3⤵
    PID:2256
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --service-sandbox-type=service --enable-quic --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --mojo-platform-channel-handle=2296 /prefetch:8
    3⤵
    - Enumerates system info in registry
    PID:3968
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --display-capture-permissions-policy-allowed --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=2384 /prefetch:1
    3⤵
    - Checks computer location settings
    PID:4632
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --display-capture-permissions-policy-allowed --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2432 /prefetch:1
    3⤵
    - Checks computer location settings
    PID:3660
- - C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --display-capture-permissions-policy-allowed --with-feature:adblock-snippets=on --with-feature:aliexpress-modal=off --with-feature:bookmarks-trash-cleaner=on --with-feature:continue-on-booking=on --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:enhanced-address-bar=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:partner-inline-autocompletion=on --with-feature:pinboard-local=on --with-feature:premium-valve-in=on --with-feature:reader-mode=on --with-feature:rollout-dna=on --with-feature:sd-suggestions-external=on --with-feature:startpage-sync-banner-ref=on --with-feature:yandex-zen-leads-for-nonsdusers=off --with-feature:yandex-zen-lift-up=off --with-feature:yandex-zen-news-next=on --with-feature:yat-emoji-addresses=on --with-feature:installer-experiment-test=off --with-feature:installer-use-minimal-package=off --with-feature:installer-opera-exe-in-root=on --field-trial-handle=1052,3996884293776956437,14333588718277614381,131072 --lang=ja --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=2440 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:924
- - C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe" --host=https://autoupdate.geo.opera.com/ --pipeid --version=82.0.4227.43 --edition --lang=ja --producttype --requesttype=start --operadir="C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43" --installdir="C:\Users\Admin\AppData\Local\Programs\Opera" --user-data-dir="C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" --installationdatadir="C:\Users\Admin\AppData\Local\Programs\Opera" --firstrunver=82.0.4227.43 --consent-info=eyJzdGF0aXN0aWNzX2NvbGxlY3Rpb25fZW5hYmxlZCI6dHJ1ZSwidXNlcl9leHBlcmllbmNlX21ldHJpY3NfcmVwb3J0aW5nX2VuYWJsZWQiOnRydWV9 --firstrunts=1641671468
    3⤵
    PID:3452
  - - C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe
      C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=82.0.4227.43 --initial-client-data=0x140,0x144,0x148,0x114,0x14c,0x13fad3430,0x13fad3440,0x13fad3450
      4⤵
      PID:2556
- - C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe" --host=https://autoupdate.geo.opera.com/ --pipeid --version=82.0.4227.43 --edition --lang=ja --producttype --requesttype=shutdown --operadir="C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43" --installdir="C:\Users\Admin\AppData\Local\Programs\Opera" --user-data-dir="C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" --installationdatadir="C:\Users\Admin\AppData\Local\Programs\Opera" --firstrunver=82.0.4227.43 --consent-info=eyJzdGF0aXN0aWNzX2NvbGxlY3Rpb25fZW5hYmxlZCI6dHJ1ZSwidXNlcl9leHBlcmllbmNlX21ldHJpY3NfcmVwb3J0aW5nX2VuYWJsZWQiOnRydWV9 --firstrunts=1641671468
    3⤵
    PID:4024
  - - C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe
      C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=82.0.4227.43 --initial-client-data=0x140,0x144,0x148,0x114,0x14c,0x1401d3430,0x1401d3440,0x1401d3450
      4⤵
      PID:3300
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Drops file in Program Files directory
  PID:3680
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:3588
- C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe"
  2⤵
  PID:1748
- - C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera.exe" --ran-launcher
    3⤵
    PID:964
  - - C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera_crashreporter.exe
      "C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera_crashreporter.exe" --ran-launcher --crash-reporter-parent-id=964
      4⤵
      PID:3556
- C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
  "C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe"
  2⤵
  PID:3912
- - C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera.exe" --ran-launcher
    3⤵
    PID:2968
  - - C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera_crashreporter.exe
      "C:\Users\Admin\AppData\Local\Programs\Opera\36.0.2130.80\opera_crashreporter.exe" --ran-launcher --crash-reporter-parent-id=2968
      4⤵
      PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:1856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62d4f50,0x7fef62d4f60,0x7fef62d4f70
    3⤵
    PID:5124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1168,5372560086909185689,3489084445888145101,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1260 /prefetch:8
    3⤵
    PID:3552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1168,5372560086909185689,3489084445888145101,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1180 /prefetch:2
    3⤵
    PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62d4f50,0x7fef62d4f60,0x7fef62d4f70
    3⤵
    PID:2540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1108 /prefetch:2
    3⤵
    PID:3480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1712 /prefetch:8
    3⤵
    PID:156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1680 /prefetch:8
    3⤵
    PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
    3⤵
    PID:5132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
    3⤵
    PID:4356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
    3⤵
    PID:4752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2500 /prefetch:2
    3⤵
    PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:8
    3⤵
    PID:3652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3372 /prefetch:8
    3⤵
    PID:4388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3496 /prefetch:8
    3⤵
    PID:1948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3460 /prefetch:8
    3⤵
    PID:1680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
    3⤵
    PID:3952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 /prefetch:8
    3⤵
    PID:1052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2448 /prefetch:1
    3⤵
    PID:4896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
    3⤵
    PID:1908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1
    3⤵
    PID:5732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:5928
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4128 /prefetch:8
    3⤵
    PID:2056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4268 /prefetch:8
    3⤵
    PID:3700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 /prefetch:8
    3⤵
    PID:5196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4356 /prefetch:8
    3⤵
    PID:3352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4212 /prefetch:8
    3⤵
    PID:5780
- - C:\Users\Admin\Downloads\adwcleaner_8.3.1.exe
    "C:\Users\Admin\Downloads\adwcleaner_8.3.1.exe"
    3⤵
    - Checks BIOS information in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    PID:5336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=896 /prefetch:8
    3⤵
    PID:5960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1088,17570471167181631698,719353898859767911,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
    3⤵
    PID:1704
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  PID:2436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62d4f50,0x7fef62d4f60,0x7fef62d4f70
    3⤵
    PID:3768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1112 /prefetch:2
    3⤵
    PID:3108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1284 /prefetch:8
    3⤵
    PID:3260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1688 /prefetch:8
    3⤵
    PID:2592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:1
    3⤵
    PID:2776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2820 /prefetch:2
    3⤵
    PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:5624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
    3⤵
    PID:3872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
    3⤵
    PID:1972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
    3⤵
    PID:480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:8
    3⤵
    PID:5064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:1
    3⤵
    PID:4088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2680 /prefetch:8
    3⤵
    PID:3864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2668 /prefetch:8
    3⤵
    PID:4000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=960 /prefetch:8
    3⤵
    PID:3752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2648 /prefetch:8
    3⤵
    PID:3388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2092 /prefetch:8
    3⤵
    PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe
    "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=aOLGSQ1sNCK8CrBv3GJ4ppXVT2jtsFkOUOJ3t53c --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
    3⤵
    PID:3628
  - - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
      "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=94.273.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13fa2c4b8,0x13fa2c4c8,0x13fa2c4d8
      4⤵
      PID:3420
  - - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
      "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3628_YEOHJTDUMGJXWFSH" --sandboxed-process-id=2 --init-done-notifier=484 --sandbox-mojo-pipe-token=7311157310615253260 --mojo-platform-channel-handle=460 --engine=2
      4⤵
      PID:2308
  - - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe
      "c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3628_YEOHJTDUMGJXWFSH" --sandboxed-process-id=3 --init-done-notifier=644 --sandbox-mojo-pipe-token=7643663144426179602 --mojo-platform-channel-handle=640
      4⤵
      PID:2452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=824 /prefetch:8
    3⤵
    PID:3548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
    3⤵
    PID:2956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1092,3937248257294826890,12452965390053419158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=840 /prefetch:8
    3⤵
    PID:2116
- C:\Users\Admin\Downloads\adwcleaner_8.3.1.exe
  "C:\Users\Admin\Downloads\adwcleaner_8.3.1.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2504
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" stop WCAssistantService /y
    3⤵
    PID:2636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WCAssistantService /y
      4⤵
      PID:5184
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" winsock reset
    3⤵
    PID:3844
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\AdwCleaner\Logs\AdwCleaner[C01].txt
    3⤵
    PID:5648
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\AdwCleaner\Logs\AdwCleaner[C01].txt
    3⤵
    PID:6112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "771914026-637271254-2045000253486083137-1532297167-67496764750131884610919058"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-481995398966547646-335612791476840640-1552155165453140391042798039-201371384"
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4893512549165144217515229601202790457-16524963681926401388-20000680151084934905"
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18319808381093119381-7982247721349969634-6582016431034975382-16903088001446023157"
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1651721573173324317353439773010487004752060328536-875811222-816832302-1634761248"
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1526241591297803127-664135980-15724682441357136862-870590251439666479-321523922"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-783733037-1941710449-1260375311201688600075113958310632749901577600029-177392157"
1⤵
- Loads dropped DLL
PID:740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2049934702-394443699-7168616282288982531663277346892297383-1043664307838614198"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1986126673118837831611834094061196995876-6571344771118027777-1032780898-1670068655"
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16240910811421244203-1604740505132255112882690175417848320681463669234-1323108202"
1⤵
- Loads dropped DLL
PID:2376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-237851654-80083993-358825733-1512902447206753366-183532677817668277751888524614"
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11527334451873014372-692136118144926834-228055684-1510297320-267235034633414290"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2049186964-1242814210-2107605864-74885427917130080481834339352346273383-1139633463"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13310440986362894731700446369-1193615212919876773-1286278892237855782130533412"
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8229331011384453039-80452775-290295475-1817184157-4257105701041761299245228007"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "125611358383534818410954512741338443690-1524534338-524264012820216935-1216529765"
1⤵
PID:3832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1258314065-1193961320-105675392414594311571616549819145882476-1076205908-1635538069"
1⤵
PID:3964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1408173126861718325-1087487236-391841615-78334231-1875391513475612369-79179209"
1⤵
PID:3808

C:\Users\Admin\MediaGet2\Luminati-m\net_updater32.exe
"C:/Users/Admin/MediaGet2/Luminati-m/net_updater32.exe" --updater win_mediaget.com
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:5060
- C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
  C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
  2⤵
  PID:4360
- C:\Users\Admin\MediaGet2\Luminati-m\luminati\idle_report.exe
  C:\Users\Admin\MediaGet2\Luminati-m\luminati\idle_report.exe 77139
  2⤵
  PID:5116
- C:\Users\Admin\MediaGet2\Luminati-m\luminati\net_svc.exe
  "C:\Users\Admin\MediaGet2\Luminati-m\luminati\net_svc.exe" --info
  2⤵
  PID:1488
- C:\Users\Admin\MediaGet2\Luminati-m\luminati\net_svc.exe
  "C:\Users\Admin\MediaGet2\Luminati-m\luminati\net_svc.exe" --workdir C:/Users/Admin/MediaGet2/Luminati-m/luminati --no-root --parent-die-stdin --sdk --sdk-version 1.240.55 --appid win_mediaget.com --uuid sdk-win-4f08cd8215704e5a8d886554244fe407
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- - C:\Users\Admin\MediaGet2\Luminati-m\luminati\net_svc.exe
    "C:\Users\Admin\MediaGet2\Luminati-m\luminati\net_svc.exe" --report-idle
    3⤵
    PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:/Users/Admin/MediaGet2/Luminati-m/luminati/temp/net_updater32.exe" "--install" "win_mediaget.com" "--remote""
    3⤵
    PID:4452
  - - C:\Users\Admin\MediaGet2\Luminati-m\luminati\temp\net_updater32.exe
      "C:/Users/Admin/MediaGet2/Luminati-m/luminati/temp/net_updater32.exe" "--install" "win_mediaget.com" "--remote"
      4⤵
      Modifies data under HKEY_USERS
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:892

C:\Windows\system32\taskeng.exe
taskeng.exe {B2E9444A-AE39-4662-9BF9-CF5F566A3C1A} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe
  C:\Users\Admin\AppData\Local\Programs\Opera\launcher.exe --scheduledautoupdate --autoupdaterequesttype=start --autoupdateoperaversion=82.0.4227.43
  2⤵
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\installer.exe" --version
    3⤵
    PID:2908
- - C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe
    "C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe" --pipeid=oauc_task_pipedcbb8f53eff625f232ff45d764476217 --version=82.0.4227.43 --lang=ja --producttype --requesttype=start --downloaddir="C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015" --installationdatadir="C:\Users\Admin\AppData\Local\Programs\Opera" --operadir="C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43" --installdir="C:\Users\Admin\AppData\Local\Programs\Opera" --user-data-dir="C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015" --nometrics --scheduledtask
    3⤵
    PID:2268
  - - C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe
      C:\Users\Admin\AppData\Local\Programs\Opera\82.0.4227.43\opera_autoupdate.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\Crash Reports" --crash-count-file=C:\Users\Admin\AppData\Local\Temp\.opera\72A8C838D015\crash_count.txt --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=82.0.4227.43 --initial-client-data=0x140,0x144,0x148,0x114,0x14c,0x13fad3430,0x13fad3440,0x13fad3450
      4⤵
      PID:2360

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
PID:1980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Executes dropped EXE
PID:2552

C:\Users\Admin\MediaGet2\Luminati-m\net_updater32.exe
"C:/Users/Admin/MediaGet2/Luminati-m/net_updater32.exe" --updater win_mediaget.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2784
- C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
  C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
  2⤵
  PID:4064

C:\Users\Admin\MediaGet2\Luminati-m\net_updater32.exe
"C:/Users/Admin/MediaGet2/Luminati-m/net_updater32.exe" --updater win_mediaget.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1908
- C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
  C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
  2⤵
  PID:3316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-813414563-1806540184-1241454525167088331259657104216069075871657683298-18983266"
1⤵
PID:3556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1430427491-695192596-68985074114683922381550000193-57777064211512954691953418449"
1⤵
PID:3620

C:\Windows\system32\taskeng.exe
taskeng.exe {5CD418E4-E84C-4E7F-A0FA-774E00EF0B9A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-181857348236382885625801462581018923710225187391154298762-1155074651-368485421"
1⤵
PID:4352

C:\Users\Admin\MediaGet2\Luminati-m\net_updater32.exe
"C:/Users/Admin/MediaGet2/Luminati-m/net_updater32.exe" --updater win_mediaget.com
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4024
- C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
  C:\Users\Admin\MediaGet2\Luminati-m\test_wpf.exe
  2⤵
  PID:1516

C:\Windows\system32\taskeng.exe
taskeng.exe {BCCFF9B8-88CA-4365-BBF1-B1ED011C42D7} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
PID:2468
- C:\Program Files\Mozilla Firefox\default-browser-agent.exe
  "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
  2⤵
  PID:3988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-415322135515453654597069401-2238618399577594242929842851879919639-1448692723"
1⤵
- Adds Run key to start application
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4176

C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe"
1⤵
PID:2872

C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
"C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh http add urlacl url=http://+:9007/ user=Everyone
  2⤵
  PID:3892
- - C:\Windows\system32\netsh.exe
    netsh http add urlacl url=http://+:9007/ user=Everyone
    3⤵
    - Modifies data under HKEY_USERS
    PID:2744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7C4DC5EB65A5CA881A217B0342EDB71
  2⤵
  PID:5356
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A3DBBBB25371472793A7ACAB03227D42
  2⤵
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\CloseFAH.exe
    "C:\Users\Admin\AppData\Local\Temp\CloseFAH.exe"
    3⤵
    PID:5912
- - C:\Program Files\WinZip\adxregistrator.exe
    "C:\Program Files\WinZip\adxregistrator.exe" /install="C:\Program Files\WinZip\WinZipExpressForOffice.dll" /privileges=user /GenerateLogFile=false
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks /Create /SC DAILY /TN "WinZip Update Notifier 1" /TR "\"C:\Program Files\WinZip\WZUpdateNotifier.exe\" -checkType=\"scheduled_9AM\" -show" /ST 09:40 /F
    3⤵
    - Creates scheduled task(s)
    PID:2992
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks /Create /SC DAILY /TN "WinZip Update Notifier 2" /TR "\"C:\Program Files\WinZip\WZUpdateNotifier.exe\" -checkType=\"scheduled_12PM\" -show" /ST 12:40 /F
    3⤵
    - Creates scheduled task(s)
    PID:1056
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks /Create /SC DAILY /TN "WinZip Update Notifier 3" /TR "\"C:\Program Files\WinZip\WZUpdateNotifier.exe\" -checkType=\"scheduled_3PM\" -show" /ST 15:40 /F
    3⤵
    - Creates scheduled task(s)
    PID:1924
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 15F35ECABB4E5141760EF8D024059986 M Global\MSI0000
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  PID:2756
- - C:\Program Files\WinZip\FAHConsole.exe
    "C:\Program Files\WinZip\FAHConsole.exe"
    3⤵
    PID:4432
  - - C:\Program Files\WinZip\FAHWindow64.exe
      "C:\Program Files\WinZip\FAHWindow64.exe" register
      4⤵
      PID:5464
- - C:\Program Files\WinZip\adxregistrator.exe
    "C:\Program Files\WinZip\adxregistrator.exe" /install="C:\Program Files\WinZip\WinZipExpressForOffice.dll" /privileges=admin /GenerateLogFile=false
    3⤵
    - Modifies data under HKEY_USERS
    - Modifies registry class
    PID:2900
- C:\Program Files\WinZip\WzPreviewer64.exe
  "C:\Program Files\WinZip\WzPreviewer64.exe" -regserver winzip64
  2⤵
  - Modifies registry class
  PID:2268
- C:\Program Files\WinZip\WzPreloader.exe
  "C:\Program Files\WinZip\WzPreloader.exe"
  2⤵
  PID:1632
- C:\Program Files\WinZip\winzip64.exe
  "C:\Program Files\WinZip\winzip64.exe" /noqp /nodesktop /nostartmenu /nomenugroup /autoinstall /lang 1041
  2⤵
  - Modifies system executable filetype association
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookAW
  PID:4044
- - C:\Program Files\WinZip\WzCABCacheSyncHelper64.exe
    "C:\Program Files\WinZip\WzCABCacheSyncHelper64.exe"
    3⤵
    - Modifies data under HKEY_USERS
    PID:5868
- C:\Program Files\WinZip\WzBGTComServer64.exe
  "C:\Program Files\WinZip\WzBGTComServer64.exe" /REGSERVER
  2⤵
  PID:3348
- C:\Program Files\WinZip\WzBGTools64.exe
  "C:\Program Files\WinZip\WzBGTools64.exe" /s
  2⤵
  PID:3108
- C:\Program Files\WinZip\WZUpdateNotifier.exe
  "C:\Program Files\WinZip\WZUpdateNotifier.exe"
  2⤵
  PID:592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3944

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000005D4" "00000000000005D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5180

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:5580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

System Information Discovery