Resubmissions
29-03-2024 11:57
240329-n4j88sgh75 128-03-2024 17:14
240328-vsb7tacd23 1027-03-2024 09:26
240327-legqpscd2x 726-03-2024 10:44
240326-msx6aabc2s 1025-03-2024 13:29
240325-qrh7hscb7s 10Analysis
-
max time kernel
281s -
max time network
1016s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26-03-2024 10:44
General
-
Target
https://youtube.com
Score
10/10
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
XMRig Miner payload 13 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 5 IoCs
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 26 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 48 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://youtube.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff894369758,0x7ff894369768,0x7ff8943697782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4496 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4712 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5092 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5324 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5540 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6288 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6472 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6660 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=7064 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6932 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7640 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5996 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2744 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6864 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=7132 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5804 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3424 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=7068 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5976 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5744 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6324 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7880 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2744 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8084 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8148 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8176 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7160 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7964 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7808 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7876 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7980 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7940 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7964 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7948 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8100 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8028 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7888 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8180 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7060 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7884 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7972 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7928 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7904 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7880 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8060 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7972 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8116 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8060 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7988 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7884 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7792 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7864 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8132 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7060 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7972 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8076 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8024 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7916 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7840 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8048 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7964 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7868 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8008 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6984 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --mojo-platform-channel-handle=828 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --mojo-platform-channel-handle=6216 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --mojo-platform-channel-handle=4748 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --mojo-platform-channel-handle=7204 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7940 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Stalcraft script.7z"2⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=119 --mojo-platform-channel-handle=4668 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=120 --mojo-platform-channel-handle=6256 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --mojo-platform-channel-handle=5796 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --mojo-platform-channel-handle=6020 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=125 --mojo-platform-channel-handle=5572 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=126 --mojo-platform-channel-handle=5436 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=127 --mojo-platform-channel-handle=5528 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --mojo-platform-channel-handle=5412 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=129 --mojo-platform-channel-handle=3736 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=130 --mojo-platform-channel-handle=5436 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=131 --mojo-platform-channel-handle=6624 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=132 --mojo-platform-channel-handle=6584 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --mojo-platform-channel-handle=6208 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=134 --mojo-platform-channel-handle=4680 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=135 --mojo-platform-channel-handle=5592 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5632 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4892 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6448 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6472 --field-trial-handle=1904,i,18433195903620867252,10889094957556319984,131072 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\Emperor.exe"C:\Users\Admin\Downloads\Emperor.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\bolls.exe"C:\Users\Admin\AppData\Local\Temp\bolls.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Saransk.exe"C:\Users\Admin\AppData\Local\Temp\Saransk.exe"3⤵
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\xray.exe"C:\Users\Admin\AppData\Local\Temp\xray.exe"3⤵
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\key.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\Deuswin.exe"C:\Users\Admin\Desktop\Deuswin.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\bqhgswe3.bdw.exe"C:\Users\Admin\AppData\Local\Temp\bqhgswe3.bdw.exe"2⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\dsa.bat"3⤵
- Checks computer location settings
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"4⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"4⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat5⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"6⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"6⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat7⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"8⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"8⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat9⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"10⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat11⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"12⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"12⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat13⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"14⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"14⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat15⤵
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"16⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"16⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat17⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"18⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"18⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat19⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"20⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"20⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat21⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"22⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"22⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat23⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"24⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"24⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat25⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"26⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"26⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat27⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"28⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"28⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat29⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"30⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"30⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat31⤵
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV132⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"32⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"32⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat33⤵
- Checks computer location settings
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV134⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"34⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"34⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat35⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"36⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"36⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat37⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"38⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"38⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat39⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"40⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"40⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat41⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"42⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"42⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat43⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"44⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"44⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat45⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"46⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"46⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat47⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"48⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"48⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat49⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"50⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"50⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat51⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"52⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"52⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat53⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"54⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"54⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat55⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"56⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"56⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat57⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"58⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"58⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat59⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"60⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"60⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat61⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"62⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"62⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat63⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"64⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"64⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat65⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"66⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"66⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat67⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"68⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"68⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat69⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"70⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"70⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat71⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"72⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"72⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat73⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"74⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"74⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat75⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"76⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"76⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat77⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"78⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"78⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat79⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"80⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"80⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat81⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"82⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"82⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat83⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"84⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"84⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat85⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"86⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"86⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat87⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"88⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"88⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat89⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"90⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"90⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat91⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"92⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"92⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat93⤵
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV194⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"94⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"94⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat95⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"96⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"96⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat97⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"98⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"98⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat99⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"100⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"100⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat101⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"102⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"102⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat103⤵
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1104⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"104⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"104⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat105⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"106⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"106⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat107⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1108⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"108⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"108⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat109⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"110⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"110⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat111⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"112⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"112⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat113⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"114⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"114⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat115⤵
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"116⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"116⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat117⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1118⤵
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"118⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"118⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat119⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"120⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"120⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\dsa.bat121⤵
- Modifies registry class
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-