Analysis
-
max time kernel
1s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
CrackLauncher.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
CrackLauncher.exe
Resource
win10v2004-20240709-en
General
-
Target
CrackLauncher.exe
-
Size
34.2MB
-
MD5
47459c72e16d587d72f106421f46c620
-
SHA1
784809d4e9b71f9da764d43835ff5436e80424ea
-
SHA256
64e4ba2eff7e8abd6c738c4360079a3ced0a6d22e8935c2f8216d69b178075d3
-
SHA512
a78537d5bbc8569a72d388e784b16fd280ffec1cde809e56b9785cae509daec1634d0eecfe8cc0cecae5206856c143e623f8696cce3ceccc140251e490c47bf7
-
SSDEEP
786432:ieHWdpbJx2ecXKKhhN546VkZ74qNN/X9/ao/z40wmPTsm:ihbJxJcX5hhNibZ74qNN/td0r6Tsm
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1236 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4552 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1016 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 668 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4284 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4172 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4276 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4948 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 224 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3572 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 3636 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 3636 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe dcrat C:\ComsurrogateServerdll\reviewNet.exe dcrat behavioral2/memory/1108-62-0x0000000000580000-0x0000000000832000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5992 powershell.exe 5112 powershell.exe 4192 powershell.exe 3844 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CrackLauncher.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation CrackLauncher.exe -
Executes dropped EXE 2 IoCs
Processes:
CrackLauncher.exeAtomicHunter.exepid process 2872 CrackLauncher.exe 1628 AtomicHunter.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ipinfo.io 36 ipinfo.io -
Power Settings 1 TTPs 20 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
cmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 5476 cmd.exe 5612 powercfg.exe 2020 powercfg.exe 5952 powercfg.exe 6104 powercfg.exe 5300 powercfg.exe 2664 cmd.exe 5240 powercfg.exe 1536 cmd.exe 1728 powercfg.exe 3404 powercfg.exe 6088 powercfg.exe 5964 powercfg.exe 1584 powercfg.exe 1728 powercfg.exe 5604 cmd.exe 4164 powercfg.exe 4204 powercfg.exe 3880 powercfg.exe 2884 powercfg.exe -
Launches sc.exe 20 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4948 sc.exe 2104 sc.exe 5336 sc.exe 408 sc.exe 3896 sc.exe 5776 sc.exe 6032 sc.exe 4688 sc.exe 3844 sc.exe 4336 sc.exe 2080 sc.exe 5824 sc.exe 1880 sc.exe 4760 sc.exe 3464 sc.exe 692 sc.exe 4336 sc.exe 5232 sc.exe 5924 sc.exe 3348 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5456 schtasks.exe 5832 schtasks.exe 1472 schtasks.exe 3168 schtasks.exe 2640 schtasks.exe 668 schtasks.exe 4768 schtasks.exe 5448 schtasks.exe 4968 schtasks.exe 1684 schtasks.exe 4988 schtasks.exe 3684 schtasks.exe 5556 schtasks.exe 4852 schtasks.exe 3572 schtasks.exe 1616 schtasks.exe 5664 schtasks.exe 5332 schtasks.exe 4708 schtasks.exe 5644 schtasks.exe 2884 schtasks.exe 5460 schtasks.exe 3836 schtasks.exe 4700 schtasks.exe 3684 schtasks.exe 1016 schtasks.exe 4220 schtasks.exe 5632 schtasks.exe 5732 schtasks.exe 5240 schtasks.exe 4944 schtasks.exe 4064 schtasks.exe 5492 schtasks.exe 5816 schtasks.exe 3568 schtasks.exe 3588 schtasks.exe 216 schtasks.exe 3060 schtasks.exe 6080 schtasks.exe 3804 schtasks.exe 4332 schtasks.exe 3944 schtasks.exe 224 schtasks.exe 3912 schtasks.exe 1232 schtasks.exe 6000 schtasks.exe 668 schtasks.exe 1236 schtasks.exe 4172 schtasks.exe 4232 schtasks.exe 2184 schtasks.exe 1344 schtasks.exe 1536 schtasks.exe 2016 schtasks.exe 4176 schtasks.exe 4276 schtasks.exe 5292 schtasks.exe 4284 schtasks.exe 4568 schtasks.exe 3732 schtasks.exe 2600 schtasks.exe 4948 schtasks.exe 5064 schtasks.exe 4812 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
CrackLauncher.exedescription pid process target process PID 3844 wrote to memory of 2872 3844 CrackLauncher.exe CrackLauncher.exe PID 3844 wrote to memory of 2872 3844 CrackLauncher.exe CrackLauncher.exe PID 3844 wrote to memory of 2872 3844 CrackLauncher.exe CrackLauncher.exe PID 3844 wrote to memory of 1628 3844 CrackLauncher.exe WScript.exe PID 3844 wrote to memory of 1628 3844 CrackLauncher.exe WScript.exe PID 3844 wrote to memory of 1628 3844 CrackLauncher.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"3⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"4⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"5⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"6⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"7⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"8⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"9⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"10⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"11⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"12⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"13⤵PID:4920
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"14⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"15⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"16⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"17⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"18⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"19⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"20⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"21⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"22⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"23⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"24⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"25⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"26⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"27⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"28⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"29⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"30⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"31⤵PID:5424
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"32⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"33⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"34⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"35⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"36⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"37⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"38⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"39⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"40⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"41⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"42⤵PID:824
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"43⤵PID:4168
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"44⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"45⤵PID:5740
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"46⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"47⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"48⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"49⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"50⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"51⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"52⤵PID:1128
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"53⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"54⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"55⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"56⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"57⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"58⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"59⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"60⤵PID:5964
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"61⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"62⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"63⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"64⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"65⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"66⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"67⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"68⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"69⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"70⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"71⤵PID:6124
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"72⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"73⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"74⤵PID:3168
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"75⤵PID:744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "76⤵PID:4040
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"77⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"73⤵PID:5780
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"74⤵PID:5464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "75⤵PID:5704
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"72⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"71⤵PID:2816
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"72⤵PID:3044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "73⤵PID:3580
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"74⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"70⤵PID:2628
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"71⤵PID:5544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "72⤵PID:4128
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"73⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"69⤵PID:1840
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"70⤵PID:4180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "71⤵PID:5656
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"72⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"68⤵PID:3844
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"69⤵PID:2776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "70⤵PID:6096
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"71⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"67⤵PID:5160
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"68⤵PID:5436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "69⤵PID:1876
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"70⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"67⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"66⤵PID:5360
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"67⤵PID:6120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "68⤵PID:5988
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"69⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"65⤵PID:5836
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"66⤵PID:5032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "67⤵PID:5168
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"68⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"64⤵PID:5740
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"65⤵PID:1324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "66⤵PID:4448
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"67⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"62⤵PID:780
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"63⤵PID:5340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "64⤵PID:1176
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"65⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"62⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"60⤵PID:6124
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"61⤵PID:6084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "62⤵PID:1740
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"63⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"59⤵PID:4792
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"60⤵PID:5496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "61⤵PID:4840
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"62⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"58⤵PID:5592
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"59⤵PID:6040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "60⤵PID:6108
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"61⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"57⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"56⤵PID:4844
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"57⤵PID:5944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "58⤵PID:5604
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"59⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"56⤵PID:5140
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"55⤵PID:3448
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"56⤵PID:5488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "57⤵PID:3088
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"58⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"55⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"54⤵PID:2836
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"55⤵PID:5368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "56⤵PID:5384
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"57⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"54⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"53⤵PID:692
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"54⤵PID:5832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "55⤵PID:5292
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"56⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"53⤵PID:6036
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"52⤵PID:3944
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"53⤵PID:1420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "54⤵PID:940
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"55⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"52⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"51⤵PID:1992
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"52⤵PID:1532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "53⤵PID:6140
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"54⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"51⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"50⤵PID:5824
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"51⤵PID:3984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "52⤵PID:1636
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"53⤵PID:2104
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"54⤵PID:5948
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:255⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"50⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"49⤵PID:244
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"50⤵PID:5640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "51⤵PID:3112
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"52⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"49⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"48⤵PID:5484
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"49⤵PID:3732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "50⤵PID:5844
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"51⤵PID:5952
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"48⤵PID:4824
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"47⤵PID:4872
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"48⤵PID:5752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "49⤵PID:4928
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"50⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"47⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"46⤵PID:4660
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"47⤵PID:4164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "48⤵PID:5904
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"49⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"46⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"45⤵PID:2184
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"46⤵PID:5832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "47⤵PID:1560
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"48⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"45⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"44⤵PID:5588
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"45⤵PID:1628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "46⤵PID:2324
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"47⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"44⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"43⤵PID:2688
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"44⤵PID:5688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "45⤵PID:5848
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"46⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"43⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"42⤵PID:1560
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"43⤵PID:4988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "44⤵PID:232
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"45⤵PID:208
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"42⤵PID:668
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"41⤵PID:4228
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"42⤵PID:3844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "43⤵PID:5748
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"44⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"41⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"40⤵PID:3992
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"41⤵PID:5124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "42⤵PID:5776
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"43⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"40⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"39⤵PID:5356
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"40⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "41⤵PID:4168
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"42⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"39⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"38⤵PID:5068
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"39⤵PID:5764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "40⤵PID:4452
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"41⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"38⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"37⤵PID:5084
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"38⤵PID:2160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "39⤵PID:3960
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"40⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"37⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"36⤵PID:5668
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"37⤵PID:1176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "38⤵PID:6108
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"39⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"36⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"35⤵PID:5496
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"36⤵PID:1236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "37⤵PID:5304
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"38⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"35⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"34⤵PID:4696
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"35⤵PID:1732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "36⤵PID:5780
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"37⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"34⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"33⤵PID:5804
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"34⤵PID:1880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "35⤵PID:5488
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"36⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"33⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"32⤵PID:4792
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"33⤵PID:5004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "34⤵PID:6032
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"35⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"32⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"31⤵PID:3764
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"32⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "33⤵PID:6064
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"34⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"31⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"30⤵PID:3312
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"31⤵PID:3352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "32⤵PID:5612
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"33⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"30⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"29⤵PID:5736
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"30⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "31⤵PID:4972
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"32⤵PID:5152
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"29⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"28⤵PID:820
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"29⤵PID:4540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "30⤵PID:5592
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"31⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"28⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"27⤵PID:5988
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"28⤵PID:6032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "29⤵PID:560
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"30⤵PID:5996
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"27⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"26⤵PID:6080
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"27⤵PID:2084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "28⤵PID:4920
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"29⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"26⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"25⤵PID:4640
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"26⤵PID:5324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "27⤵PID:5672
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"28⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"25⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"24⤵PID:4240
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"25⤵PID:5048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "26⤵PID:2708
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"27⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"24⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"23⤵PID:5968
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"24⤵PID:940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "25⤵PID:1620
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"26⤵PID:5776
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"23⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"22⤵PID:3016
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"23⤵PID:5588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "24⤵PID:3900
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"25⤵PID:3728
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"22⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"21⤵PID:2076
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"22⤵PID:3400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "23⤵PID:3944
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"24⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"21⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"20⤵PID:5128
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"21⤵PID:5384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "22⤵PID:2364
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"23⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"20⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"19⤵PID:3524
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"20⤵PID:1472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "21⤵PID:5824
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"22⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"19⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"18⤵PID:4584
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"19⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "20⤵PID:4568
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"21⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"18⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"17⤵PID:6028
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"18⤵PID:2120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "19⤵PID:4724
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"20⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"17⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"16⤵PID:5896
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"17⤵PID:6040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "18⤵PID:4824
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"19⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"16⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"15⤵PID:5520
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"16⤵PID:6008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "17⤵PID:1016
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"18⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"15⤵PID:5764
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"14⤵PID:4448
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"15⤵PID:5468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "16⤵PID:1652
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"17⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"14⤵PID:5168
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"13⤵PID:1420
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"14⤵PID:5032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "15⤵PID:5540
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"16⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"13⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"12⤵PID:3044
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"13⤵PID:5028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "14⤵PID:5496
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"15⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"12⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"11⤵PID:2372
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"12⤵PID:1976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "13⤵PID:5412
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"14⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"11⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"10⤵PID:4672
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"11⤵PID:4064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "12⤵PID:5432
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"13⤵PID:5788
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"10⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"9⤵PID:3056
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"10⤵PID:1568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "11⤵PID:5476
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"12⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"9⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"8⤵PID:436
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"9⤵PID:1992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "10⤵PID:3296
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"11⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"8⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"7⤵PID:5012
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"8⤵PID:3168
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "9⤵PID:848
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"10⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"7⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"6⤵PID:632
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"7⤵PID:3676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "8⤵PID:2816
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"9⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"6⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"5⤵PID:2104
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"6⤵PID:4856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "7⤵PID:1628
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"8⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"5⤵PID:3716
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"4⤵PID:4928
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"5⤵PID:2008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "6⤵PID:2340
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"7⤵PID:1108
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"8⤵PID:5236
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"4⤵PID:3880
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"3⤵PID:320
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"4⤵PID:4464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "5⤵PID:1596
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"6⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"3⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"2⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"3⤵PID:2748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "4⤵PID:2024
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"5⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"2⤵PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Command and Scripting Interpreter: PowerShell
PID:5992
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:3632
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:6032 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:4688 -
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:3844 -
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:4948 -
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:3464
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Power Settings
PID:1536 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:1728 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:3404 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
- Power Settings
PID:5952 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:4164
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"1⤵PID:5260
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\eqrnvskqnorc.xml"1⤵
- Scheduled Task/Job: Scheduled Task
PID:6000
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"1⤵PID:5588
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"1⤵PID:3920
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 32⤵PID:5160
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵PID:5848
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Command and Scripting Interpreter: PowerShell
PID:5112
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:3488
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:408 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:5336 -
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:5232 -
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:692 -
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:4336
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Power Settings
PID:5476 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:4204 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:6088 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
- Power Settings
PID:5964 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:3880
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"1⤵PID:2132
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\eqrnvskqnorc.xml"1⤵
- Scheduled Task/Job: Scheduled Task
PID:4768
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"1⤵PID:5512
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"1⤵PID:3992
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 32⤵PID:2752
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5392
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Command and Scripting Interpreter: PowerShell
PID:4192
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"1⤵PID:4084
-
C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe"C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe"2⤵PID:944
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c353151a-38fa-4048-aa9f-537661e52a61.vbs"3⤵PID:3308
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ce79f9a-828a-412d-a4a1-0ca8f3d4ab8e.vbs"3⤵PID:3168
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:596
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:4336 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:5824 -
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:3896 -
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:2104 -
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:5924
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Power Settings
PID:2664 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:5300 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:6104 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
- Power Settings
PID:5612 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:1584
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"1⤵PID:4056
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\eqrnvskqnorc.xml"1⤵
- Scheduled Task/Job: Scheduled Task
PID:2184
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"1⤵PID:4580
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"1⤵PID:5408
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 32⤵PID:3944
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵PID:1988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /f1⤵PID:5752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1536
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"1⤵PID:5960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "2⤵PID:4556
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"3⤵PID:5672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\ComsurrogateServerdll\csrss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\csrss.exe'" /rl HIGHEST /f1⤵PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\ComsurrogateServerdll\csrss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f1⤵PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "choicec" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\choice.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "choice" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\choice.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "choicec" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\choice.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\reviewNet.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Users\Default User\reviewNet.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:6080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\reviewNet.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\ComsurrogateServerdll\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4812
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"1⤵PID:2936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "2⤵PID:5012
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"3⤵PID:3440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\ComsurrogateServerdll\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\explorer.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\explorer.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\cmd.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\cmd.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\cmd.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\ComsurrogateServerdll\lsass.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\ComsurrogateServerdll\lsass.exe'" /rl HIGHEST /f1⤵PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5456
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Command and Scripting Interpreter: PowerShell
PID:3844
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:748
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:1880 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:5776 -
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:3348 -
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:2080 -
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:4760
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Power Settings
PID:5604 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:2884 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:5240 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
- Power Settings
PID:2020 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:1728
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\eqrnvskqnorc.xml"1⤵
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe1⤵PID:2952
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:5640
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5e8a1196aafe6f8b6e6bb8c795ebf0498
SHA1f5b7dfb17573f8901107616abbcefb7243c97f14
SHA25686c669cde3c0198e13d2cbff58ed537b0d994341f30a230a501eb5e5ce316201
SHA51223116afd8fcf4b201de8981856df75eb71bddd84f3eba0fa26afe36f1e54957c959490e5e22157b1b369c0e538707fb7ea3cbae6442ef36e6e1df601c234eb92
-
Filesize
207B
MD519215cdffa83bf4c905f51ee487e8bec
SHA121c8d4aa2d99932eacef7617b007a3a8a4907ccf
SHA2565fc3f2deada1ff0fe5a803d57f009721a2ad43e97dae76b75483ef5f3bb4c423
SHA512111e64c8a1640638b8f21ea1ce1b7c3b0e77bd5f6f6591a01d677ce2a7593b0655377d7c6baa3ce4726a3bafa852948db73ab899ee57837e336a86bc29998647
-
Filesize
2.7MB
MD554ee180f701840090a930675dd656df2
SHA17c18ea7d94f34b8a6bcedaad224d7d973b417cc4
SHA25671913fe34b93416cbb0f6f2807392b8387a7cce53049eec444463cd820cb580d
SHA512f9a9700c0f5e2429d0fadc238ebe19ea7b9fcaa5b7fece52073c26f35a9df456f1aa6ee14bc985b11375992ad4edda5acf65bc5848f170c4839922d185d6926c
-
Filesize
1KB
MD5655010c15ea0ca05a6e5ddcd84986b98
SHA1120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA2562b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437
-
Filesize
3.2MB
MD51612340eed578b9f695949bfbd7a625f
SHA16e4d20aa926063cbc15e9c65c7bfcde609219614
SHA2568a1df8be1833b4aa3d9d50e6b4c5e91185fcd07122baf22f650397e9494d1135
SHA5128835f47af32ac631f5fc51be1971ae8ff25178faeb80a0679ce45c0a7d7cb8f8bcb6953276ede02114f317e6dea42cf4f0643a00fb48e1be742a44bfd4c76b47
-
Filesize
34.2MB
MD547459c72e16d587d72f106421f46c620
SHA1784809d4e9b71f9da764d43835ff5436e80424ea
SHA25664e4ba2eff7e8abd6c738c4360079a3ced0a6d22e8935c2f8216d69b178075d3
SHA512a78537d5bbc8569a72d388e784b16fd280ffec1cde809e56b9785cae509daec1634d0eecfe8cc0cecae5206856c143e623f8696cce3ceccc140251e490c47bf7
-
Filesize
39.4MB
MD5cf010b8b8b4b7be7cf041bbdc9b2b0f0
SHA146ef9630ddcbfbd04971cc8f3f60cdfa47700924
SHA25693e167f3bcbd0a3254d65504f9c3377bec4bf3a7102ad174511b68eeeae6c9e9
SHA512e88d100a7ba32f42aa5c3d1a139c87a0b677cfd94f2bfb23374858e60b8ee5e73aa5077f480fe69fb208c7ffd4a47159080af77896aa56b4f2dfa3152872ae0d
-
Filesize
40.0MB
MD592c1a2d015abc4695f3433787660611f
SHA1c4cd2c9aa28638ca7da3b7a5af381a4e64ff6903
SHA256339b82ef374d4568b45f790796ce611e908ea77c298b25de961866925a590abc
SHA512f7cd3c175cc650b4ecf4ab92b56f326f0fa17b42ec8e4905973df950e58999ff892822c84dac0e8df8a95654d499a18c86ad39b74d22e87238ce8ef08c63c358
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82