Analysis
-
max time kernel
53s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
CrackLauncher.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
CrackLauncher.exe
Resource
win10v2004-20240704-en
General
-
Target
CrackLauncher.exe
-
Size
2.7MB
-
MD5
90094c2066f9e53cb9217876c833c269
-
SHA1
da9086b65e114257168e634cc921e1ab1c069144
-
SHA256
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
-
SHA512
ef4a15be7efa9ac59c991c64c5afa5fb9e8015334f69e1c64315f788345c456fec5caf58605ccf08afaf16f1a2f7cc2fda1ffd85850d6c2ea268c63efc261aa8
-
SSDEEP
49152:+o0vjh94l17uf+lwSV64uaQ+AMqAXKM5VIZsTirMC6gOpkXF3eew0w2Gc2MAPRT0:+p87WSV69aQ+GW5CZsTirMjRkOow2H2U
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4020 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4032 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4048 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4040 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3080 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3324 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3176 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3664 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3780 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3824 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3832 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3992 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4012 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2700 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4072 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3740 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3412 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3316 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4088 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3292 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3456 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 3864 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3844 3864 schtasks.exe -
Processes:
MsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe dcrat behavioral1/memory/1636-76-0x0000000000C20000-0x0000000000EE2000-memory.dmp dcrat C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe dcrat behavioral1/memory/4848-186-0x0000000000A70000-0x0000000000D32000-memory.dmp dcrat behavioral1/memory/4944-187-0x00000000011D0000-0x0000000001492000-memory.dmp dcrat behavioral1/memory/5080-188-0x0000000000A60000-0x0000000000D22000-memory.dmp dcrat -
Executes dropped EXE 64 IoCs
Processes:
CrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeíóòèïàõóé.exeCrackLauncher.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeíóòèïàõóé.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeíóòèïàõóé.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeíóòèïàõóé.exeíóòèïàõóé.exeíóòèïàõóé.exeCrackLauncher.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exeCrackLauncher.exeíóòèïàõóé.exepid process 2192 CrackLauncher.exe 1808 íóòèïàõóé.exe 2524 CrackLauncher.exe 2248 íóòèïàõóé.exe 2340 CrackLauncher.exe 2868 íóòèïàõóé.exe 2976 íóòèïàõóé.exe 2604 CrackLauncher.exe 2660 CrackLauncher.exe 3048 íóòèïàõóé.exe 2324 CrackLauncher.exe 664 íóòèïàõóé.exe 1440 CrackLauncher.exe 2420 íóòèïàõóé.exe 1960 CrackLauncher.exe 1508 íóòèïàõóé.exe 2584 íóòèïàõóé.exe 2836 CrackLauncher.exe 2184 CrackLauncher.exe 1956 CrackLauncher.exe 2692 íóòèïàõóé.exe 1268 CrackLauncher.exe 2004 CrackLauncher.exe 1676 CrackLauncher.exe 1612 íóòèïàõóé.exe 2576 íóòèïàõóé.exe 1336 CrackLauncher.exe 1284 íóòèïàõóé.exe 1864 íóòèïàõóé.exe 3000 íóòèïàõóé.exe 2996 íóòèïàõóé.exe 2344 CrackLauncher.exe 2164 CrackLauncher.exe 1708 íóòèïàõóé.exe 2208 CrackLauncher.exe 2196 íóòèïàõóé.exe 2540 CrackLauncher.exe 2112 íóòèïàõóé.exe 2892 CrackLauncher.exe 2876 íóòèïàõóé.exe 2880 CrackLauncher.exe 2976 íóòèïàõóé.exe 3056 CrackLauncher.exe 2268 íóòèïàõóé.exe 2424 CrackLauncher.exe 1424 íóòèïàõóé.exe 1940 CrackLauncher.exe 2764 íóòèïàõóé.exe 2544 CrackLauncher.exe 2508 íóòèïàõóé.exe 2684 CrackLauncher.exe 2944 íóòèïàõóé.exe 1696 CrackLauncher.exe 1348 íóòèïàõóé.exe 1200 CrackLauncher.exe 2460 íóòèïàõóé.exe 2344 CrackLauncher.exe 1480 íóòèïàõóé.exe 872 CrackLauncher.exe 2576 íóòèïàõóé.exe 1708 CrackLauncher.exe 2680 íóòèïàõóé.exe 2104 CrackLauncher.exe 2332 íóòèïàõóé.exe -
Loads dropped DLL 64 IoCs
Processes:
CrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exepid process 2680 CrackLauncher.exe 2680 CrackLauncher.exe 2192 CrackLauncher.exe 2192 CrackLauncher.exe 2524 CrackLauncher.exe 2524 CrackLauncher.exe 2340 CrackLauncher.exe 2340 CrackLauncher.exe 2604 CrackLauncher.exe 2604 CrackLauncher.exe 2660 CrackLauncher.exe 2660 CrackLauncher.exe 2324 CrackLauncher.exe 2324 CrackLauncher.exe 1440 CrackLauncher.exe 1440 CrackLauncher.exe 1960 CrackLauncher.exe 1960 CrackLauncher.exe 2836 CrackLauncher.exe 2836 CrackLauncher.exe 2184 CrackLauncher.exe 2184 CrackLauncher.exe 1956 CrackLauncher.exe 1956 CrackLauncher.exe 1268 CrackLauncher.exe 1268 CrackLauncher.exe 2004 CrackLauncher.exe 2004 CrackLauncher.exe 1676 CrackLauncher.exe 1676 CrackLauncher.exe 1336 CrackLauncher.exe 1336 CrackLauncher.exe 2344 CrackLauncher.exe 2344 CrackLauncher.exe 2164 CrackLauncher.exe 2164 CrackLauncher.exe 2208 CrackLauncher.exe 2208 CrackLauncher.exe 2540 CrackLauncher.exe 2540 CrackLauncher.exe 2892 CrackLauncher.exe 2892 CrackLauncher.exe 2880 CrackLauncher.exe 2880 CrackLauncher.exe 3056 CrackLauncher.exe 3056 CrackLauncher.exe 2424 CrackLauncher.exe 2424 CrackLauncher.exe 1940 CrackLauncher.exe 1940 CrackLauncher.exe 2544 CrackLauncher.exe 2544 CrackLauncher.exe 2684 CrackLauncher.exe 2684 CrackLauncher.exe 1696 CrackLauncher.exe 1696 CrackLauncher.exe 1200 CrackLauncher.exe 1200 CrackLauncher.exe 2344 CrackLauncher.exe 2344 CrackLauncher.exe 872 CrackLauncher.exe 872 CrackLauncher.exe 1708 CrackLauncher.exe 1708 CrackLauncher.exe -
Processes:
MsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe -
Drops file in Program Files directory 18 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\Office14\1033\0a1fd5f707cd16 MsHostsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wscript.exe MsHostsvc.exe File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\817c8c8ec737a7 MsHostsvc.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe MsHostsvc.exe File created C:\Program Files (x86)\Google\CrashReports\spoolsv.exe MsHostsvc.exe File created C:\Program Files\Windows Media Player\817c8c8ec737a7 MsHostsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe MsHostsvc.exe File created C:\Program Files\Microsoft Office\Office14\1033\0a1fd5f707cd16 MsHostsvc.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe MsHostsvc.exe File created C:\Program Files (x86)\Google\CrashReports\f3b6ecef712a24 MsHostsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wscript.exe MsHostsvc.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\817c8c8ec737a7 MsHostsvc.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe MsHostsvc.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\0a1fd5f707cd16 MsHostsvc.exe File created C:\Program Files (x86)\Google\CrashReports\spoolsv.exe MsHostsvc.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\spoolsv.exe MsHostsvc.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\f3b6ecef712a24 MsHostsvc.exe File created C:\Program Files\Windows Media Player\wscript.exe MsHostsvc.exe -
Drops file in Windows directory 23 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exedescription ioc process File opened for modification C:\Windows\Prefetch\ReadyBoot\817c8c8ec737a7 MsHostsvc.exe File created C:\Windows\Resources\Ease of Access Themes\dllhost.exe MsHostsvc.exe File created C:\Windows\Fonts\services.exe MsHostsvc.exe File created C:\Windows\CSC\v2.0.6\conhost.exe MsHostsvc.exe File opened for modification C:\Windows\Setup\State\cmd.exe MsHostsvc.exe File created C:\Windows\Setup\State\ebf1f9fa8afd6d MsHostsvc.exe File created C:\Windows\Prefetch\ReadyBoot\wscript.exe MsHostsvc.exe File created C:\Windows\Prefetch\ReadyBoot\817c8c8ec737a7 MsHostsvc.exe File created C:\Windows\Vss\b125b10b19ba76 MsHostsvc.exe File created C:\Windows\Setup\State\cmd.exe MsHostsvc.exe File created C:\Windows\Prefetch\ReadyBoot\wscript.exe MsHostsvc.exe File created C:\Windows\Fonts\c5b4cb5e9653cc MsHostsvc.exe File created C:\Windows\Prefetch\55e49458e81f34 MsHostsvc.exe File created C:\Windows\Vss\íóòèïàõóé.exe MsHostsvc.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\wscript.exe MsHostsvc.exe File created C:\Windows\Resources\Ease of Access Themes\5940a34987c991 MsHostsvc.exe File created C:\Windows\de-DE\wscript.exe MsHostsvc.exe File created C:\Windows\de-DE\817c8c8ec737a7 MsHostsvc.exe File created C:\Windows\Prefetch\ReadyBoot\wscript.exe MsHostsvc.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\wscript.exe MsHostsvc.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\817c8c8ec737a7 MsHostsvc.exe File created C:\Windows\servicing\SQM\wscript.exe MsHostsvc.exe File created C:\Windows\Prefetch\MsHostsvc.exe MsHostsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3988 schtasks.exe 2576 schtasks.exe 3364 schtasks.exe 2172 schtasks.exe 4008 schtasks.exe 4508 schtasks.exe 4960 schtasks.exe 2508 schtasks.exe 2820 schtasks.exe 2700 schtasks.exe 2664 schtasks.exe 3152 schtasks.exe 3460 schtasks.exe 3456 schtasks.exe 3520 schtasks.exe 2456 schtasks.exe 3324 schtasks.exe 3780 schtasks.exe 3200 schtasks.exe 3644 schtasks.exe 4988 schtasks.exe 4128 schtasks.exe 4832 schtasks.exe 2264 schtasks.exe 4848 schtasks.exe 4092 schtasks.exe 3368 schtasks.exe 3720 schtasks.exe 1472 schtasks.exe 1844 schtasks.exe 4028 schtasks.exe 3944 schtasks.exe 2656 schtasks.exe 3740 schtasks.exe 3688 schtasks.exe 5040 schtasks.exe 3952 schtasks.exe 4032 schtasks.exe 3664 schtasks.exe 2060 schtasks.exe 3080 schtasks.exe 4080 schtasks.exe 5060 schtasks.exe 2932 schtasks.exe 3472 schtasks.exe 2948 schtasks.exe 2728 schtasks.exe 1916 schtasks.exe 4176 schtasks.exe 2444 schtasks.exe 3992 schtasks.exe 4088 schtasks.exe 1740 schtasks.exe 1484 schtasks.exe 3564 schtasks.exe 4892 schtasks.exe 4040 schtasks.exe 3492 schtasks.exe 2812 schtasks.exe 3412 schtasks.exe 4800 schtasks.exe 4020 schtasks.exe 4012 schtasks.exe 2952 schtasks.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
sppsvc.exepid process 4848 sppsvc.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exepid process 2156 MsHostsvc.exe 1636 MsHostsvc.exe 2608 MsHostsvc.exe 2568 MsHostsvc.exe 1636 MsHostsvc.exe 2156 MsHostsvc.exe 2608 MsHostsvc.exe 2156 MsHostsvc.exe 2568 MsHostsvc.exe 2608 MsHostsvc.exe 2568 MsHostsvc.exe 1636 MsHostsvc.exe 2568 MsHostsvc.exe 2568 MsHostsvc.exe 2568 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 1636 MsHostsvc.exe 1636 MsHostsvc.exe 1636 MsHostsvc.exe 2568 MsHostsvc.exe 1636 MsHostsvc.exe 2156 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 1636 MsHostsvc.exe 2156 MsHostsvc.exe 2568 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 1636 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 1636 MsHostsvc.exe 2156 MsHostsvc.exe 2568 MsHostsvc.exe 2156 MsHostsvc.exe 2568 MsHostsvc.exe 1636 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 1636 MsHostsvc.exe 2156 MsHostsvc.exe 2156 MsHostsvc.exe 1636 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 1636 MsHostsvc.exe 2156 MsHostsvc.exe 2156 MsHostsvc.exe 2608 MsHostsvc.exe 1636 MsHostsvc.exe 1636 MsHostsvc.exe 2608 MsHostsvc.exe 2608 MsHostsvc.exe 1636 MsHostsvc.exe 1636 MsHostsvc.exe 2608 MsHostsvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exesppsvc.exeMsHostsvc.exewscript.exeMsHostsvc.exewscript.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exedescription pid process Token: SeDebugPrivilege 2608 MsHostsvc.exe Token: SeDebugPrivilege 1636 MsHostsvc.exe Token: SeDebugPrivilege 2156 MsHostsvc.exe Token: SeDebugPrivilege 2568 MsHostsvc.exe Token: SeDebugPrivilege 3676 MsHostsvc.exe Token: SeDebugPrivilege 3812 MsHostsvc.exe Token: SeDebugPrivilege 3904 MsHostsvc.exe Token: SeDebugPrivilege 4264 MsHostsvc.exe Token: SeDebugPrivilege 1336 MsHostsvc.exe Token: SeDebugPrivilege 3592 MsHostsvc.exe Token: SeDebugPrivilege 4556 MsHostsvc.exe Token: SeDebugPrivilege 5108 MsHostsvc.exe Token: SeDebugPrivilege 5000 MsHostsvc.exe Token: SeDebugPrivilege 3820 MsHostsvc.exe Token: SeDebugPrivilege 584 MsHostsvc.exe Token: SeDebugPrivilege 4692 MsHostsvc.exe Token: SeDebugPrivilege 2532 MsHostsvc.exe Token: SeDebugPrivilege 2932 MsHostsvc.exe Token: SeDebugPrivilege 3528 MsHostsvc.exe Token: SeDebugPrivilege 2448 MsHostsvc.exe Token: SeDebugPrivilege 4608 MsHostsvc.exe Token: SeDebugPrivilege 4604 MsHostsvc.exe Token: SeDebugPrivilege 3736 MsHostsvc.exe Token: SeDebugPrivilege 4180 MsHostsvc.exe Token: SeDebugPrivilege 3092 MsHostsvc.exe Token: SeDebugPrivilege 3540 MsHostsvc.exe Token: SeDebugPrivilege 1540 MsHostsvc.exe Token: SeDebugPrivilege 2160 MsHostsvc.exe Token: SeDebugPrivilege 3724 MsHostsvc.exe Token: SeDebugPrivilege 3404 MsHostsvc.exe Token: SeDebugPrivilege 560 MsHostsvc.exe Token: SeDebugPrivilege 2300 MsHostsvc.exe Token: SeDebugPrivilege 2188 MsHostsvc.exe Token: SeDebugPrivilege 4612 MsHostsvc.exe Token: SeDebugPrivilege 3152 MsHostsvc.exe Token: SeDebugPrivilege 3388 MsHostsvc.exe Token: SeDebugPrivilege 1556 MsHostsvc.exe Token: SeDebugPrivilege 3604 MsHostsvc.exe Token: SeDebugPrivilege 1560 MsHostsvc.exe Token: SeDebugPrivilege 2648 MsHostsvc.exe Token: SeDebugPrivilege 3384 MsHostsvc.exe Token: SeDebugPrivilege 4456 MsHostsvc.exe Token: SeDebugPrivilege 4504 MsHostsvc.exe Token: SeDebugPrivilege 3104 MsHostsvc.exe Token: SeDebugPrivilege 4848 sppsvc.exe Token: SeDebugPrivilege 2756 MsHostsvc.exe Token: SeDebugPrivilege 4944 wscript.exe Token: SeDebugPrivilege 3344 MsHostsvc.exe Token: SeDebugPrivilege 5080 wscript.exe Token: SeDebugPrivilege 3132 MsHostsvc.exe Token: SeDebugPrivilege 5480 MsHostsvc.exe Token: SeDebugPrivilege 5864 MsHostsvc.exe Token: SeDebugPrivilege 5876 MsHostsvc.exe Token: SeDebugPrivilege 6024 MsHostsvc.exe Token: SeDebugPrivilege 6048 MsHostsvc.exe Token: SeDebugPrivilege 3208 MsHostsvc.exe Token: SeDebugPrivilege 2064 MsHostsvc.exe Token: SeDebugPrivilege 5996 MsHostsvc.exe Token: SeDebugPrivilege 5988 MsHostsvc.exe Token: SeDebugPrivilege 2456 MsHostsvc.exe Token: SeDebugPrivilege 468 MsHostsvc.exe Token: SeDebugPrivilege 3520 MsHostsvc.exe Token: SeDebugPrivilege 2944 MsHostsvc.exe Token: SeDebugPrivilege 3328 MsHostsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CrackLauncher.exeCrackLauncher.exeCrackLauncher.exeíóòèïàõóé.exeíóòèïàõóé.exeCrackLauncher.exedescription pid process target process PID 2680 wrote to memory of 2192 2680 CrackLauncher.exe CrackLauncher.exe PID 2680 wrote to memory of 2192 2680 CrackLauncher.exe CrackLauncher.exe PID 2680 wrote to memory of 2192 2680 CrackLauncher.exe CrackLauncher.exe PID 2680 wrote to memory of 2192 2680 CrackLauncher.exe CrackLauncher.exe PID 2680 wrote to memory of 2192 2680 CrackLauncher.exe CrackLauncher.exe PID 2680 wrote to memory of 2192 2680 CrackLauncher.exe CrackLauncher.exe PID 2680 wrote to memory of 2192 2680 CrackLauncher.exe CrackLauncher.exe PID 2680 wrote to memory of 1808 2680 CrackLauncher.exe íóòèïàõóé.exe PID 2680 wrote to memory of 1808 2680 CrackLauncher.exe íóòèïàõóé.exe PID 2680 wrote to memory of 1808 2680 CrackLauncher.exe íóòèïàõóé.exe PID 2680 wrote to memory of 1808 2680 CrackLauncher.exe íóòèïàõóé.exe PID 2680 wrote to memory of 1808 2680 CrackLauncher.exe íóòèïàõóé.exe PID 2680 wrote to memory of 1808 2680 CrackLauncher.exe íóòèïàõóé.exe PID 2680 wrote to memory of 1808 2680 CrackLauncher.exe íóòèïàõóé.exe PID 2192 wrote to memory of 2524 2192 CrackLauncher.exe CrackLauncher.exe PID 2192 wrote to memory of 2524 2192 CrackLauncher.exe CrackLauncher.exe PID 2192 wrote to memory of 2524 2192 CrackLauncher.exe CrackLauncher.exe PID 2192 wrote to memory of 2524 2192 CrackLauncher.exe CrackLauncher.exe PID 2192 wrote to memory of 2524 2192 CrackLauncher.exe CrackLauncher.exe PID 2192 wrote to memory of 2524 2192 CrackLauncher.exe CrackLauncher.exe PID 2192 wrote to memory of 2524 2192 CrackLauncher.exe CrackLauncher.exe PID 2192 wrote to memory of 2248 2192 CrackLauncher.exe íóòèïàõóé.exe PID 2192 wrote to memory of 2248 2192 CrackLauncher.exe íóòèïàõóé.exe PID 2192 wrote to memory of 2248 2192 CrackLauncher.exe íóòèïàõóé.exe PID 2192 wrote to memory of 2248 2192 CrackLauncher.exe íóòèïàõóé.exe PID 2192 wrote to memory of 2248 2192 CrackLauncher.exe íóòèïàõóé.exe PID 2192 wrote to memory of 2248 2192 CrackLauncher.exe íóòèïàõóé.exe PID 2192 wrote to memory of 2248 2192 CrackLauncher.exe íóòèïàõóé.exe PID 2524 wrote to memory of 2340 2524 CrackLauncher.exe CrackLauncher.exe PID 2524 wrote to memory of 2340 2524 CrackLauncher.exe CrackLauncher.exe PID 2524 wrote to memory of 2340 2524 CrackLauncher.exe CrackLauncher.exe PID 2524 wrote to memory of 2340 2524 CrackLauncher.exe CrackLauncher.exe PID 2524 wrote to memory of 2340 2524 CrackLauncher.exe CrackLauncher.exe PID 2524 wrote to memory of 2340 2524 CrackLauncher.exe CrackLauncher.exe PID 2524 wrote to memory of 2340 2524 CrackLauncher.exe CrackLauncher.exe PID 1808 wrote to memory of 2744 1808 íóòèïàõóé.exe WScript.exe PID 1808 wrote to memory of 2744 1808 íóòèïàõóé.exe WScript.exe PID 1808 wrote to memory of 2744 1808 íóòèïàõóé.exe WScript.exe PID 1808 wrote to memory of 2744 1808 íóòèïàõóé.exe WScript.exe PID 1808 wrote to memory of 2744 1808 íóòèïàõóé.exe WScript.exe PID 1808 wrote to memory of 2744 1808 íóòèïàõóé.exe WScript.exe PID 1808 wrote to memory of 2744 1808 íóòèïàõóé.exe WScript.exe PID 2524 wrote to memory of 2868 2524 CrackLauncher.exe WScript.exe PID 2524 wrote to memory of 2868 2524 CrackLauncher.exe WScript.exe PID 2524 wrote to memory of 2868 2524 CrackLauncher.exe WScript.exe PID 2524 wrote to memory of 2868 2524 CrackLauncher.exe WScript.exe PID 2524 wrote to memory of 2868 2524 CrackLauncher.exe WScript.exe PID 2524 wrote to memory of 2868 2524 CrackLauncher.exe WScript.exe PID 2524 wrote to memory of 2868 2524 CrackLauncher.exe WScript.exe PID 2248 wrote to memory of 2912 2248 íóòèïàõóé.exe WScript.exe PID 2248 wrote to memory of 2912 2248 íóòèïàõóé.exe WScript.exe PID 2248 wrote to memory of 2912 2248 íóòèïàõóé.exe WScript.exe PID 2248 wrote to memory of 2912 2248 íóòèïàõóé.exe WScript.exe PID 2248 wrote to memory of 2912 2248 íóòèïàõóé.exe WScript.exe PID 2248 wrote to memory of 2912 2248 íóòèïàõóé.exe WScript.exe PID 2248 wrote to memory of 2912 2248 íóòèïàõóé.exe WScript.exe PID 2340 wrote to memory of 2604 2340 CrackLauncher.exe CrackLauncher.exe PID 2340 wrote to memory of 2604 2340 CrackLauncher.exe CrackLauncher.exe PID 2340 wrote to memory of 2604 2340 CrackLauncher.exe CrackLauncher.exe PID 2340 wrote to memory of 2604 2340 CrackLauncher.exe CrackLauncher.exe PID 2340 wrote to memory of 2604 2340 CrackLauncher.exe CrackLauncher.exe PID 2340 wrote to memory of 2604 2340 CrackLauncher.exe CrackLauncher.exe PID 2340 wrote to memory of 2604 2340 CrackLauncher.exe CrackLauncher.exe PID 2340 wrote to memory of 2976 2340 CrackLauncher.exe íóòèïàõóé.exe -
System policy modification 1 TTPs 12 IoCs
Processes:
MsHostsvc.exeMsHostsvc.exeMsHostsvc.exeMsHostsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" MsHostsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsHostsvc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"33⤵
- Executes dropped EXE
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"34⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"35⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"36⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"37⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"38⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"39⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"40⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"41⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"42⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"43⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"44⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"45⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"46⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"47⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"48⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"49⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"50⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"51⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"52⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"53⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"54⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"55⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"56⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"57⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"58⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"59⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"60⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"61⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"62⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"63⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"64⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"65⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"66⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"67⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"68⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"69⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"70⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"71⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"72⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"73⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"74⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"75⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"76⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"77⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"78⤵PID:5452
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"79⤵PID:5516
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"80⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"81⤵PID:5760
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"82⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"83⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"84⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"85⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"86⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"87⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"88⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"89⤵PID:5188
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"90⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"91⤵PID:4720
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"92⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"93⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"94⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"95⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"96⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"97⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"98⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"99⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"100⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"101⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"102⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"103⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"104⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"105⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"106⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"107⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"108⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"109⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"110⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"111⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"112⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"113⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"114⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"115⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"116⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"117⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"118⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"119⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"120⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"121⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"122⤵PID:5892
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"123⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"124⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"125⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"126⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"127⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"128⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"129⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"130⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"131⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"132⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"133⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"134⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"135⤵PID:4144
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"136⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"137⤵PID:5224
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"138⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"139⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"140⤵PID:2404
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"141⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"142⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"143⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"144⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"145⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"146⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"147⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"148⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"149⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"150⤵PID:3748
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"151⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"152⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"153⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"154⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"155⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"156⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"157⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"158⤵PID:6140
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"159⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"160⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"161⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"162⤵PID:280
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"163⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"164⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"165⤵PID:5864
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"166⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"167⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"168⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"169⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"170⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"171⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"172⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"173⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"174⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"175⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"176⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"177⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"178⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"179⤵PID:2872
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"180⤵PID:2084
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"181⤵PID:3268
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"182⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"183⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"184⤵PID:5768
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"185⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"186⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"187⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"188⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"189⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"190⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"191⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"192⤵PID:5300
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"193⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"194⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"195⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"196⤵PID:6060
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"197⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"198⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"199⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"200⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"201⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"200⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"199⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"198⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"197⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"196⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"195⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"194⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"193⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"192⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"191⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"190⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"189⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"188⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"187⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"186⤵PID:604
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"185⤵PID:3640
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"184⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"183⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"182⤵PID:4628
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"183⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"181⤵PID:2692
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"182⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"180⤵PID:3568
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"181⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"179⤵PID:1940
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"180⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"178⤵PID:3276
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"179⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"177⤵PID:5808
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"178⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"176⤵PID:784
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"177⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"175⤵PID:980
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"176⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"174⤵PID:5308
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"175⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"173⤵PID:1804
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"174⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"172⤵PID:5460
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"173⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"171⤵PID:4472
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"172⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"170⤵PID:5316
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"171⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"169⤵PID:3600
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"170⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"168⤵PID:4268
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"169⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"167⤵PID:4116
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"168⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"166⤵PID:4324
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"167⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"165⤵PID:1500
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"166⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"164⤵PID:3748
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"165⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"163⤵PID:1740
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"164⤵PID:4308
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"162⤵PID:2840
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"163⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"161⤵PID:5424
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"162⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"160⤵PID:5300
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"161⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"159⤵PID:860
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"160⤵PID:280
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"158⤵PID:2548
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"159⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"157⤵PID:5880
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"158⤵PID:4296
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "159⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"156⤵PID:1976
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"157⤵PID:1828
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "158⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"155⤵PID:872
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"156⤵PID:3524
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "157⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"154⤵PID:3924
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"155⤵PID:4036
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "156⤵PID:344
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"157⤵PID:4944
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"153⤵PID:5972
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"154⤵PID:2532
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "155⤵PID:2440
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"156⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"152⤵PID:5716
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"153⤵PID:5600
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "154⤵PID:5224
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"155⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"151⤵PID:4204
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"152⤵PID:5124
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "153⤵PID:3084
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"154⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"150⤵PID:1472
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"151⤵PID:5924
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "152⤵PID:6004
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"153⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"149⤵PID:5164
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"150⤵PID:1936
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "151⤵PID:2732
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"152⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"148⤵PID:1264
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"149⤵PID:4920
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "150⤵PID:880
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"151⤵PID:6084
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"147⤵PID:1348
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"148⤵PID:928
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "149⤵PID:5020
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"150⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"146⤵PID:5668
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"147⤵PID:5816
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "148⤵PID:3216
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"149⤵PID:5496
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"145⤵PID:5856
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"146⤵PID:2600
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "147⤵PID:5372
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"148⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"144⤵PID:2024
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"145⤵PID:2304
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "146⤵PID:5472
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"147⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"143⤵PID:6032
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"144⤵PID:1268
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "145⤵PID:5212
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"146⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"142⤵PID:4332
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"143⤵PID:344
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "144⤵PID:5572
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"145⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"141⤵PID:1724
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"142⤵PID:3052
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "143⤵PID:2656
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"144⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"140⤵PID:5708
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"141⤵PID:2176
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "142⤵PID:3168
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"143⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"139⤵PID:2716
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"140⤵PID:1028
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "141⤵PID:3156
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"142⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"138⤵PID:4296
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"139⤵PID:4320
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "140⤵PID:4476
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"141⤵PID:4544
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"137⤵PID:3396
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"138⤵PID:4936
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "139⤵PID:3260
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"140⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"136⤵PID:3356
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"137⤵PID:2188
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "138⤵PID:5348
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"139⤵PID:4616
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"135⤵PID:2248
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"136⤵PID:4080
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "137⤵PID:5740
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"138⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"134⤵PID:5396
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"135⤵PID:4592
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "136⤵PID:3336
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"137⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"133⤵PID:4784
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"134⤵PID:1332
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "135⤵PID:1652
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"136⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"132⤵PID:5604
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"133⤵PID:6088
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "134⤵PID:1948
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"135⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"131⤵PID:1964
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"132⤵PID:4536
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "133⤵PID:284
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"134⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"130⤵PID:2228
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"131⤵PID:3388
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "132⤵PID:3612
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"133⤵PID:5664
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"129⤵PID:5576
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"130⤵PID:2080
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "131⤵PID:2308
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"132⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"128⤵PID:3096
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"129⤵PID:3320
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "130⤵PID:4760
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"131⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"127⤵PID:4348
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"128⤵PID:4984
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "129⤵PID:1808
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"130⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"126⤵PID:3464
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"127⤵PID:5012
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "128⤵PID:3248
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"129⤵PID:4088
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"125⤵PID:5108
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"126⤵PID:4120
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "127⤵PID:5836
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"128⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"124⤵PID:6092
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"125⤵PID:4308
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "126⤵PID:1304
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"127⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"123⤵PID:5948
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"124⤵PID:2952
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "125⤵PID:5064
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"126⤵PID:2648
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"122⤵PID:2508
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"123⤵PID:1792
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "124⤵PID:5576
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"125⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"121⤵PID:5308
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"122⤵PID:2164
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "123⤵PID:4044
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"124⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"120⤵PID:2848
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"121⤵PID:2944
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "122⤵PID:4172
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"123⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"119⤵PID:2800
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"120⤵PID:5808
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "121⤵PID:3344
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"122⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"118⤵PID:5468
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"119⤵PID:2244
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "120⤵PID:2464
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"121⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"117⤵PID:5724
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"118⤵PID:5264
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "119⤵PID:1212
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"120⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"116⤵PID:1580
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"117⤵PID:4076
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "118⤵PID:4396
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"119⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"115⤵PID:5096
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"116⤵PID:2532
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "117⤵PID:2820
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"118⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"114⤵PID:3640
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"115⤵PID:5768
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "116⤵PID:5936
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"117⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"113⤵PID:3400
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"114⤵PID:1676
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "115⤵PID:840
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"116⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"112⤵PID:5648
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"113⤵PID:5740
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "114⤵PID:5688
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"115⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"111⤵PID:284
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"112⤵PID:5784
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "113⤵PID:5592
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"114⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"110⤵PID:1636
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"111⤵PID:2240
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "112⤵PID:4264
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"113⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"109⤵PID:1712
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"110⤵PID:5528
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "111⤵PID:5480
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"112⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"108⤵PID:1200
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"109⤵PID:3212
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "110⤵PID:1284
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"111⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"107⤵PID:3504
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"108⤵PID:1276
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "109⤵PID:4168
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"110⤵PID:4492
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"106⤵PID:4472
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"107⤵PID:1540
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "108⤵PID:2880
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"109⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"105⤵PID:4088
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"106⤵PID:5412
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "107⤵PID:3180
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"108⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"104⤵PID:3632
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"105⤵PID:5332
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "106⤵PID:5904
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"107⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"103⤵PID:2160
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"104⤵PID:2988
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "105⤵PID:2876
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"106⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"102⤵PID:4996
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"103⤵PID:1976
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "104⤵PID:3608
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"105⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"101⤵PID:6072
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"102⤵PID:5476
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "103⤵PID:1048
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"104⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"100⤵PID:3440
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"101⤵PID:1928
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "102⤵PID:4928
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"103⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"99⤵PID:3140
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"100⤵PID:4592
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "101⤵PID:2940
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"102⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"98⤵PID:1688
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"99⤵PID:1592
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "100⤵PID:1868
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"101⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"97⤵PID:4972
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"98⤵PID:3264
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "99⤵PID:2368
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"100⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"96⤵PID:4480
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"97⤵PID:3124
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "98⤵PID:3632
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"99⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"95⤵PID:3336
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"96⤵PID:3920
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "97⤵PID:6000
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"98⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"94⤵PID:4884
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"95⤵PID:3532
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "96⤵PID:4688
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"97⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"93⤵PID:4396
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"94⤵PID:980
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "95⤵PID:5148
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"96⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"92⤵PID:5720
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"93⤵PID:4984
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "94⤵PID:6064
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"95⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"91⤵PID:4032
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"92⤵PID:5508
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "93⤵PID:4580
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"94⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"90⤵PID:4752
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"91⤵PID:6132
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "92⤵PID:1576
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"93⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"89⤵PID:2936
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"90⤵PID:2612
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "91⤵PID:1648
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"92⤵PID:5156
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"88⤵PID:4476
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"89⤵PID:2300
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "90⤵PID:3680
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"91⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"87⤵PID:5404
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"88⤵PID:2764
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "89⤵PID:4740
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"90⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"86⤵PID:4272
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"87⤵PID:4716
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "88⤵PID:2216
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"89⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"85⤵PID:5296
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"86⤵PID:4780
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "87⤵PID:6108
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"88⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"84⤵PID:4640
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"85⤵PID:5672
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "86⤵PID:4752
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"87⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"83⤵PID:6016
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"84⤵PID:3092
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "85⤵PID:4896
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"86⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"82⤵PID:5896
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"83⤵PID:756
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "84⤵PID:5524
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"85⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"81⤵PID:5812
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"82⤵PID:2352
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "83⤵PID:5728
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"84⤵PID:3272
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"80⤵PID:5656
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"81⤵PID:4136
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "82⤵PID:4040
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"83⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"79⤵PID:5620
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"80⤵PID:2252
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "81⤵PID:5272
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"82⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"78⤵PID:5472
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"79⤵PID:5904
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "80⤵PID:2676
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"81⤵PID:5540
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"77⤵PID:5420
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"78⤵PID:2608
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "79⤵PID:3436
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"80⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"76⤵PID:5320
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"77⤵PID:5676
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "78⤵PID:2196
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"79⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"75⤵PID:5140
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"76⤵PID:3780
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "77⤵PID:5288
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"78⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"74⤵PID:2332
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"75⤵PID:2228
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "76⤵PID:5588
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"77⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"73⤵PID:3616
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"74⤵PID:5712
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "75⤵PID:1992
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"76⤵PID:5228
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"72⤵PID:3252
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"73⤵PID:5576
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "74⤵PID:4280
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"75⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"71⤵PID:2176
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"72⤵PID:2344
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "73⤵PID:4336
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"74⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"70⤵PID:3064
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"71⤵PID:5532
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "72⤵PID:4536
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"73⤵PID:4276
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"69⤵PID:1480
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"70⤵PID:3556
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "71⤵PID:4840
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"72⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"68⤵PID:1820
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"69⤵PID:3468
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "70⤵PID:2464
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"71⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"67⤵PID:2948
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"68⤵PID:2164
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "69⤵PID:3088
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"70⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"66⤵PID:3504
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"67⤵PID:6136
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "68⤵PID:1384
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"69⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"65⤵PID:4332
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"66⤵PID:6108
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "67⤵PID:2560
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"68⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"64⤵PID:3976
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"65⤵PID:3548
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "66⤵PID:3820
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"67⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"63⤵PID:3376
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"64⤵PID:3096
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "65⤵PID:5788
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"66⤵
- Suspicious use of AdjustPrivilegeToken
PID:6048 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"62⤵PID:3164
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"63⤵PID:2900
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "64⤵PID:5064
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"65⤵
- Suspicious use of AdjustPrivilegeToken
PID:5996 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"61⤵PID:1624
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"62⤵PID:1512
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "63⤵PID:4204
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"64⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"60⤵PID:1236
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"61⤵PID:5248
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "62⤵PID:4520
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"63⤵PID:5512
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"59⤵PID:1912
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"60⤵PID:5176
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "61⤵PID:2528
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"62⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"58⤵PID:2084
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"59⤵PID:5376
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "60⤵PID:2364
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"61⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"57⤵PID:1916
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"58⤵PID:3416
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "59⤵PID:3276
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"60⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"56⤵PID:604
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"57⤵PID:4240
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "58⤵PID:1472
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"59⤵
- Suspicious use of AdjustPrivilegeToken
PID:468 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"55⤵PID:1940
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"56⤵PID:4680
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "57⤵PID:3032
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"58⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"54⤵PID:2708
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"55⤵PID:2152
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "56⤵PID:5044
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"57⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"53⤵PID:2432
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"54⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "55⤵PID:1964
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"56⤵
- Suspicious use of AdjustPrivilegeToken
PID:5988 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"52⤵PID:2176
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"53⤵PID:3984
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "54⤵PID:3612
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"55⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"51⤵PID:2832
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"52⤵PID:3852
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "53⤵PID:5540
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"54⤵
- Suspicious use of AdjustPrivilegeToken
PID:5876 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"50⤵PID:2424
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"51⤵PID:5056
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "52⤵PID:5728
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"53⤵
- Suspicious use of AdjustPrivilegeToken
PID:6024 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"49⤵PID:2872
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"50⤵PID:3552
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "51⤵PID:5212
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"52⤵
- Suspicious use of AdjustPrivilegeToken
PID:5480 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"48⤵PID:2532
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"49⤵PID:3576
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "50⤵PID:5568
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"51⤵
- Suspicious use of AdjustPrivilegeToken
PID:5864 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"47⤵PID:2768
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"48⤵PID:3100
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "49⤵PID:4036
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"50⤵
- Suspicious use of AdjustPrivilegeToken
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"46⤵PID:1748
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"47⤵PID:2112
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "48⤵PID:1284
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"49⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"45⤵PID:1740
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"46⤵PID:3064
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "47⤵PID:2672
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"48⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"44⤵PID:1484
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"45⤵PID:1548
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "46⤵PID:4120
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"47⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"43⤵PID:2452
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"44⤵PID:2096
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "45⤵PID:4880
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"46⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"42⤵PID:1624
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"43⤵PID:2836
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "44⤵PID:2420
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"45⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"41⤵PID:2564
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"42⤵PID:2548
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "43⤵PID:2412
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"44⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"40⤵PID:1612
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"41⤵PID:2320
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "42⤵PID:5088
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"43⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"39⤵PID:2508
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"40⤵PID:1816
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "41⤵PID:3320
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"42⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"38⤵PID:1988
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"39⤵PID:2460
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "40⤵PID:1516
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"37⤵PID:2548
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"38⤵PID:1264
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "39⤵PID:3328
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"40⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"36⤵PID:1816
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"37⤵PID:1132
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "38⤵PID:2184
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"39⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"35⤵PID:1500
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"36⤵PID:1084
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "37⤵PID:3224
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"38⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"34⤵PID:2404
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"35⤵PID:836
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "36⤵PID:4472
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"37⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"33⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"34⤵PID:2408
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "35⤵PID:3396
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"36⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"32⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"33⤵PID:2996
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "34⤵PID:3964
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"35⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"31⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"32⤵PID:948
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "33⤵PID:1472
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"34⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"30⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"31⤵PID:2900
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "32⤵PID:3600
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"33⤵
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"29⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"30⤵PID:2300
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "31⤵PID:4204
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"32⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"28⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"29⤵PID:1304
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "30⤵PID:3588
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"31⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"27⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"28⤵PID:1608
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "29⤵PID:4488
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"30⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"26⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"27⤵PID:1992
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "28⤵PID:1748
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"25⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"26⤵PID:2180
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "27⤵PID:4628
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"28⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"24⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"25⤵PID:1924
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "26⤵PID:1844
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"23⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"24⤵PID:1764
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "25⤵PID:3716
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"26⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"22⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"23⤵PID:2660
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "24⤵PID:1916
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"21⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"22⤵PID:3060
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "23⤵PID:3668
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"24⤵
- Suspicious use of AdjustPrivilegeToken
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"20⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"21⤵PID:2868
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "22⤵PID:5024
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"19⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"20⤵PID:2724
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "21⤵PID:4860
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"22⤵
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"18⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"19⤵PID:2360
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "20⤵PID:4136
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"21⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"17⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"18⤵PID:484
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "19⤵PID:5016
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"20⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"16⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"17⤵PID:1732
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "18⤵PID:3740
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"15⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"16⤵PID:1048
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "17⤵PID:4968
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"18⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"14⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"15⤵PID:2352
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "16⤵PID:4496
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"13⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"14⤵PID:2528
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "15⤵PID:4564
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"16⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"12⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"13⤵PID:1780
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "14⤵PID:4396
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"15⤵
- Suspicious use of AdjustPrivilegeToken
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"11⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"12⤵PID:1540
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "13⤵PID:4420
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"14⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"10⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"11⤵PID:2952
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "12⤵PID:3440
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"9⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"10⤵PID:1844
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "11⤵PID:3344
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"8⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"9⤵PID:1512
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "10⤵PID:3300
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"11⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"7⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"8⤵PID:1980
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "9⤵PID:2440
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"6⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"7⤵PID:1100
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "8⤵PID:2916
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"9⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"5⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"6⤵PID:2776
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "7⤵PID:2840
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"8⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w1YW8UP1NG.bat"9⤵PID:4336
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4712
-
C:\Windows\Prefetch\ReadyBoot\wscript.exe"C:\Windows\Prefetch\ReadyBoot\wscript.exe"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"4⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"5⤵PID:2852
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "6⤵PID:344
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"7⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RxbbScEcUc.bat"8⤵PID:4648
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:4820
-
C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"9⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"4⤵PID:2912
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "5⤵PID:2752
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"6⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mOiugIQtKn.bat"7⤵PID:4872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:3452
-
C:\bridgeServercomponentFontDriver\wscript.exe"C:\bridgeServercomponentFontDriver\wscript.exe"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"C:\Users\Admin\AppData\Local\Temp\íóòèïàõóé.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeServercomponentFontDriver\SND7XTuGR2g.vbe"3⤵PID:2744
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\bridgeServercomponentFontDriver\9qhNErD.bat" "4⤵PID:2120
-
C:\bridgeServercomponentFontDriver\MsHostsvc.exe"C:\bridgeServercomponentFontDriver\MsHostsvc.exe"5⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w1YW8UP1NG.bat"6⤵PID:4592
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4704
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-14354155321008134767865152972-598815325-1317719266-524890584193658167534900140"1⤵PID:1708
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1272652512089450374-1779976591122109876-795176618140263615310582450371536544146"1⤵PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Setup\State\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\íóòèïàõóé.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /f1⤵
- Process spawned unexpected child process
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóé" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\Sample Videos\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:4072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\bridgeServercomponentFontDriver\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Admin\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\íóòèïàõóé.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóé" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wscript.exe'" /f1⤵
- Process spawned unexpected child process
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Admin\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\bridgeServercomponentFontDriver\wscript.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\bridgeServercomponentFontDriver\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\bridgeServercomponentFontDriver\wscript.exe'" /rl HIGHEST /f1⤵PID:3524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\íóòèïàõóé.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóé" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵PID:3496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\MsHostsvc.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvc" /sc ONLOGON /tr "'C:\Windows\Prefetch\MsHostsvc.exe'" /rl HIGHEST /f1⤵PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\MsHostsvc.exe'" /rl HIGHEST /f1⤵PID:4200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\MsHostsvc.exe'" /f1⤵PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\MsHostsvc.exe'" /rl HIGHEST /f1⤵PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\MsHostsvc.exe'" /rl HIGHEST /f1⤵PID:4452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\íóòèïàõóé.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóé" /sc ONLOGON /tr "'C:\Users\All Users\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵PID:4536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\wscript.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\de-DE\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\MsHostsvc.exe'" /f1⤵PID:4876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\MsHostsvc.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MsHostsvcM" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\MsHostsvc.exe'" /rl HIGHEST /f1⤵PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wscript.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵PID:5008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\wscript.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\wscript.exe'" /rl HIGHEST /f1⤵PID:5076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wscript.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wscript.exe'" /rl HIGHEST /f1⤵PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\íóòèïàõóé.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóé" /sc ONLOGON /tr "'C:\Windows\Vss\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵PID:4316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "íóòèïàõóéí" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\íóòèïàõóé.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3720
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1142516889-4690471361222705812-18757333271667287967-237753794294121187-1412489812"1⤵PID:2832
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-572897688-1071271033-168917881316392521781239830340-390831473948204373-1964191024"1⤵PID:2528
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "497489938-1461290047-1891970711-1032562435-9697706291842343234-19844001-552648072"1⤵PID:2576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "414115021-1923028840491310152-1587525959-15645555018948081842052716838-76495650"1⤵PID:4608
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-138422705663857730620591649711994786305105619622687570802614321056971776928510"1⤵PID:2440
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1285564722-1860237338108957085968942292112363574383436053291365576883-1600061446"1⤵PID:2916
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-442380647849326856-1755530379-936527608-762403082-1266296312-635894013-149828967"1⤵PID:1084
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-6968059461097054000460173210-1904713231377802209-5586905491194759017-381335977"1⤵PID:4496
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1310653881283198903-983933257522030141008531444-14334360221782380143548955205"1⤵PID:560
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-192131022030971942-103495664-1156371492-1012496872-506901048906825322-1573131904"1⤵PID:4872
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "7721241971606183369-2096304830-1654201870-236349218-19953398541036344808556868235"1⤵PID:2120
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "503706140-1331947396-1545589151-1826362846398347815146414232689840724-358294815"1⤵PID:4488
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1368237520165161589211191345261587715195-1406454482-1572778550-943053540-828759153"1⤵PID:2932
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3978109381257476753541041822036745317-2062635881858335141-127587100269620535"1⤵PID:3328
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1985770815652791157774667564-1083366134-16199549841677755081659504197239584203"1⤵PID:3064
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1728616438-2020640340-1202005438-218184906-1348006815-8127174881401662778509394934"1⤵PID:4612
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1760427014-1940987363-193795435396934168419381880321580743074-14699678791975632068"1⤵PID:2984
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1637803711830249203932336967-1683292097-5856692281046381095269273932-1818295147"1⤵PID:5548
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-90959115520466666942090180328-1391094524-122233796-1884287227602961391305401481"1⤵PID:2332
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1122172680-1814863459922464068-1420927875-6447622492136726135-604973791193266530"1⤵PID:5724
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3997369701751415101641191663-1061173061805988634-406769599-2114106580-266777106"1⤵PID:1512
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-797831565372769279507599311247188007702536472-624177960634905152-325554025"1⤵PID:3232
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5a7a6c9f410573c8fbd408170eab6aa33
SHA199354c9e2c7fc978abd47e8d2ec1a403bcc5dfd6
SHA2569d5aaaf2551239a60ec1a383a3512be976cfaa866573e86687c59412ae167974
SHA512f3dbb349ed88f1d9b7c6d1e0ffc2fa12b3d2f68209eaf97ff8bf4344c5a87e39ba3588584df4b656acdcf1b1526415b0a06e921f405bc836792c9b55a794d6b5
-
Filesize
215B
MD5bd091f4d8a1df91d73b0c65a4ba02330
SHA1bef757dc154e1d4a0fc91f8ce1e4072c4c12d6df
SHA2567eeb92d6b5e2faca9ea5763051aac81b7851f4aefe76680ccb25a3aec7e05be2
SHA5120559ece912e8d3f061e615dd55ced1ddb75c743014b99f4589421c192a4aadf58c41c5b8d72cb96ac3b40f4326e7a7c5791691d557036fb3df2df8f78ff2a98c
-
Filesize
2.7MB
MD590094c2066f9e53cb9217876c833c269
SHA1da9086b65e114257168e634cc921e1ab1c069144
SHA256371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
SHA512ef4a15be7efa9ac59c991c64c5afa5fb9e8015334f69e1c64315f788345c456fec5caf58605ccf08afaf16f1a2f7cc2fda1ffd85850d6c2ea268c63efc261aa8
-
Filesize
3.0MB
MD5d80301cde99009a601e22c0f9cb3433a
SHA1d82a05a75f31ec11ced2f6c5e0b945510dbfcd5a
SHA256334e48543f8c2d0203135f7820116b676467ae1c1a3d6eabd8b17f96308e5574
SHA51202b744e15834b654b1d4772d8f2ddc26ca773a9139d9d12fec12c2749e09e69c904014c8464762a7bd97aa8413971193a8c386bb2bfecc14fc8aabd78383888b