1459890537a96e964089709f6a4dc704f422fe6949a6492784acb46c624f793d

Analysis

max time kernel
67s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe
Size

364KB
MD5

99180aba4fcef4c831dd34f4c66cd52e
SHA1

58ada9bab31fe9f2184b605678aa203fafc4f2ac
SHA256

1459890537a96e964089709f6a4dc704f422fe6949a6492784acb46c624f793d
SHA512

9b80eb9d4000521237fd520274eed9cb6dd8bf69b2967aa76168b6d148148915c98fcd0619d01d066543cf4ea8a5c1662ad7565b232e5c715423db2fe4a489fd
SSDEEP

6144:xl56Q4Kee0COjAwlaNQYuFloUM0LpgqzvAu++deDpsQoJWy5q2DvhTnAY:tH8eTOjbEWFFloU1gqzAuXgDpsQ2q2vJ

Score

9^/10

discovery persistence ransomware

Malware Config

Signatures

Renames multiple (89) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 64 IoCs

pid	Process
1736	TurmoilscapeUpdater.exe
1664	TurmoilscapeUpdater.exe
1232	TurmoilscapeUpdater.exe
4844	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe
1568	TurmoilscapeUpdater.exe
832	TurmoilscapeUpdater.exe
1344	TurmoilscapeUpdater.exe
4940	TurmoilscapeUpdater.exe
116	TurmoilscapeUpdater.exe
1480	TurmoilscapeUpdater.exe
4600	TurmoilscapeUpdater.exe
4604	TurmoilscapeUpdater.exe
1636	TurmoilscapeUpdater.exe
556	TurmoilscapeUpdater.exe
4488	TurmoilscapeUpdater.exe
968	TurmoilscapeUpdater.exe
4452	TurmoilscapeUpdater.exe
1608	TurmoilscapeUpdater.exe
5068	TurmoilscapeUpdater.exe
4556	TurmoilscapeUpdater.exe
4216	TurmoilscapeUpdater.exe
1176	TurmoilscapeUpdater.exe
4520	TurmoilscapeUpdater.exe
4940	TurmoilscapeUpdater.exe
3500	TurmoilscapeUpdater.exe
792	TurmoilscapeUpdater.exe
1472	TurmoilscapeUpdater.exe
5692	TurmoilscapeUpdater.exe
5936	TurmoilscapeUpdater.exe
5944	TurmoilscapeUpdater.exe
6044	TurmoilscapeUpdater.exe
6064	TurmoilscapeUpdater.exe
4604	TurmoilscapeUpdater.exe
3284	TurmoilscapeUpdater.exe
4864	TurmoilscapeUpdater.exe
880	TurmoilscapeUpdater.exe
1700	TurmoilscapeUpdater.exe
5716	TurmoilscapeUpdater.exe
6408	TurmoilscapeUpdater.exe
6864	TurmoilscapeUpdater.exe
6904	TurmoilscapeUpdater.exe
7164	TurmoilscapeUpdater.exe
720	TurmoilscapeUpdater.exe
2704	TurmoilscapeUpdater.exe
968	TurmoilscapeUpdater.exe
5728	TurmoilscapeUpdater.exe
408	TurmoilscapeUpdater.exe
4684	TurmoilscapeUpdater.exe
6160	TurmoilscapeUpdater.exe
6220	TurmoilscapeUpdater.exe
6244	TurmoilscapeUpdater.exe
4148	TurmoilscapeUpdater.exe
6464	TurmoilscapeUpdater.exe
4940	TurmoilscapeUpdater.exe
5572	TurmoilscapeUpdater.exe
6060	TurmoilscapeUpdater.exe
5372	TurmoilscapeUpdater.exe
7128	TurmoilscapeUpdater.exe
5952	TurmoilscapeUpdater.exe
4860	TurmoilscapeUpdater.exe
1508	TurmoilscapeUpdater.exe
2628	TurmoilscapeUpdater.exe
6080	TurmoilscapeUpdater.exe
5876	TurmoilscapeUpdater.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TurmoilscapeUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\Turmoilscape\\TurmoilscapeUpdater.exe"	TurmoilscapeUpdater.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 4844	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe	400
PID 1664 set thread context of 1568	1664	TurmoilscapeUpdater.exe	421
PID 1736 set thread context of 832	1736	TurmoilscapeUpdater.exe	2513
PID 1232 set thread context of 1480	1232	TurmoilscapeUpdater.exe	146
PID 116 set thread context of 4488	116	TurmoilscapeUpdater.exe	1380
PID 1344 set thread context of 4452	1344	TurmoilscapeUpdater.exe	2796
PID 4940 set thread context of 5068	4940	TurmoilscapeUpdater.exe	2463
PID 4604 set thread context of 792	4604	TurmoilscapeUpdater.exe	2878
PID 4600 set thread context of 1472	4600	TurmoilscapeUpdater.exe	2501
PID 1636 set thread context of 6064	1636	TurmoilscapeUpdater.exe	337
PID 556 set thread context of 4604	556	TurmoilscapeUpdater.exe	273
PID 968 set thread context of 1700	968	TurmoilscapeUpdater.exe	295
PID 1608 set thread context of 5716	1608	TurmoilscapeUpdater.exe	2162
PID 1176 set thread context of 6864	1176	TurmoilscapeUpdater.exe	326
PID 4940 set thread context of 6904	4940	TurmoilscapeUpdater.exe	327
PID 4520 set thread context of 7164	4520	TurmoilscapeUpdater.exe	445
PID 4216 set thread context of 720	4216	TurmoilscapeUpdater.exe	338
PID 3500 set thread context of 4684	3500	TurmoilscapeUpdater.exe	2838
PID 5692 set thread context of 6244	5692	TurmoilscapeUpdater.exe	1331
PID 5936 set thread context of 5952	5936	TurmoilscapeUpdater.exe	2698
PID 6044 set thread context of 5572	6044	TurmoilscapeUpdater.exe	382
PID 5944 set thread context of 6060	5944	TurmoilscapeUpdater.exe	505
PID 4556 set thread context of 5372	4556	TurmoilscapeUpdater.exe	506
PID 3284 set thread context of 7128	3284	TurmoilscapeUpdater.exe	1398
PID 880 set thread context of 4248	880	TurmoilscapeUpdater.exe	428
PID 4864 set thread context of 8092	4864	TurmoilscapeUpdater.exe	1652
PID 6408 set thread context of 8100	6408	TurmoilscapeUpdater.exe	2049
PID 968 set thread context of 6704	968	TurmoilscapeUpdater.exe	1607
PID 6220 set thread context of 4892	6220	TurmoilscapeUpdater.exe	573
PID 5728 set thread context of 8784	5728	TurmoilscapeUpdater.exe	2667
PID 408 set thread context of 3944	408	TurmoilscapeUpdater.exe	1275
PID 4940 set thread context of 9632	4940	TurmoilscapeUpdater.exe	1835
PID 4148 set thread context of 9764	4148	TurmoilscapeUpdater.exe	2970
PID 6160 set thread context of 9620	6160	TurmoilscapeUpdater.exe	2862
PID 6464 set thread context of 9808	6464	TurmoilscapeUpdater.exe	607
PID 4860 set thread context of 9884	4860	TurmoilscapeUpdater.exe	612
PID 2704 set thread context of 6572	2704	TurmoilscapeUpdater.exe	1887
PID 3176 set thread context of 9736	3176	TurmoilscapeUpdater.exe	1357
PID 6404 set thread context of 10368	6404	TurmoilscapeUpdater.exe	2867
PID 1508 set thread context of 10788	1508	TurmoilscapeUpdater.exe	1483
PID 2628 set thread context of 10864	2628	TurmoilscapeUpdater.exe	1830
PID 8168 set thread context of 11152	8168	TurmoilscapeUpdater.exe	854
PID 5072 set thread context of 11164	5072	TurmoilscapeUpdater.exe	1768
PID 8032 set thread context of 11188	8032	TurmoilscapeUpdater.exe	848
PID 5776 set thread context of 11200	5776	TurmoilscapeUpdater.exe	1252
PID 5876 set thread context of 11208	5876	TurmoilscapeUpdater.exe	732
PID 7552 set thread context of 9348	7552	TurmoilscapeUpdater.exe	2850
PID 7492 set thread context of 4908	7492	TurmoilscapeUpdater.exe	1391
PID 6096 set thread context of 9336	6096	TurmoilscapeUpdater.exe	1016
PID 6080 set thread context of 2096	6080	TurmoilscapeUpdater.exe	3020
PID 4068 set thread context of 11000	4068	TurmoilscapeUpdater.exe	1831
PID 8088 set thread context of 2400	8088	TurmoilscapeUpdater.exe	816
PID 7228 set thread context of 9812	7228	TurmoilscapeUpdater.exe	1071
PID 8372 set thread context of 1040	8372	TurmoilscapeUpdater.exe	831
PID 9096 set thread context of 11452	9096	TurmoilscapeUpdater.exe	858
PID 8252 set thread context of 12068	8252	TurmoilscapeUpdater.exe	1601
PID 4000 set thread context of 11408	4000	TurmoilscapeUpdater.exe	936
PID 6588 set thread context of 12740	6588	TurmoilscapeUpdater.exe	2395
PID 9824 set thread context of 932	9824	TurmoilscapeUpdater.exe	1076
PID 9680 set thread context of 15304	9680	TurmoilscapeUpdater.exe	2924
PID 8756 set thread context of 15296	8756	TurmoilscapeUpdater.exe	3411
PID 9672 set thread context of 9908	9672	TurmoilscapeUpdater.exe	2599
PID 9816 set thread context of 14628	9816	TurmoilscapeUpdater.exe	1136
PID 10796 set thread context of 9864	10796	TurmoilscapeUpdater.exe	1152

Program crash 21 IoCs

pid	pid_target	Process	procid_target
3260	4844	WerFault.exe	111
3820	1568	WerFault.exe
2476	832	WerFault.exe	123
4572	1480	WerFault.exe	146
6488	5716	WerFault.exe	296
6592	1700	WerFault.exe	295
6064	6864	WerFault.exe	326
3944	6904	WerFault.exe	327
9276	4892	WerFault.exe	573
9784	8784	WerFault.exe	578
9608	6704	WerFault.exe	568
5132	9884	WerFault.exe	612
14892	932	WerFault.exe	1076
6552	14812	WerFault.exe	1105
1180	15304	WerFault.exe	1125
14700	15128	WerFault.exe	1117
4692	15204	WerFault.exe	1147
1228	8652	Process not Found	1385
7412	7216	Process not Found	1386
15620	8452	Process not Found	1456
15744	7148	Process not Found	1636

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TurmoilscapeUpdater.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe
Token: SeDebugPrivilege	1736	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	1664	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	1232	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	1344	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4940	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	116	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4600	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4604	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	1636	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	556	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	968	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	1608	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4940	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4520	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4556	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4216	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	1176	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	3500	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	5692	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	5944	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	5936	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6044	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	3284	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4864	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	880	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6408	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	5728	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	408	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6220	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	2704	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4148	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6160	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	968	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4940	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6464	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	2628	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	1508	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4860	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	3176	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6096	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6080	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	5876	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	5072	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6404	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	5776	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	7552	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	7492	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	8168	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	8032	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	7228	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4068	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	8088	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	8372	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	8252	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	9096	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	6588	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	4000	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	9672	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	9680	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	9824	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	9832	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	9816	TurmoilscapeUpdater.exe
Token: SeDebugPrivilege	10156	TurmoilscapeUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 1736	5076	cmd.exe	90
PID 5076 wrote to memory of 1736	5076	cmd.exe	90
PID 5076 wrote to memory of 1736	5076	cmd.exe	90
PID 1416 wrote to memory of 1080	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe	91
PID 1416 wrote to memory of 1080	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe	91
PID 1416 wrote to memory of 1080	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe	91
PID 2480 wrote to memory of 1664	2480	cmd.exe	93
PID 2480 wrote to memory of 1664	2480	cmd.exe	93
PID 2480 wrote to memory of 1664	2480	cmd.exe	93
PID 1736 wrote to memory of 2716	1736	TurmoilscapeUpdater.exe	98
PID 1736 wrote to memory of 2716	1736	TurmoilscapeUpdater.exe	98
PID 1736 wrote to memory of 2716	1736	TurmoilscapeUpdater.exe	98
PID 1664 wrote to memory of 1184	1664	TurmoilscapeUpdater.exe	103
PID 1664 wrote to memory of 1184	1664	TurmoilscapeUpdater.exe	103
PID 1664 wrote to memory of 1184	1664	TurmoilscapeUpdater.exe	103
PID 1080 wrote to memory of 5072	1080	csc.exe	153
PID 1080 wrote to memory of 5072	1080	csc.exe	153
PID 1080 wrote to memory of 5072	1080	csc.exe	153
PID 4452 wrote to memory of 1232	4452	cmd.exe	107
PID 4452 wrote to memory of 1232	4452	cmd.exe	107
PID 4452 wrote to memory of 1232	4452	cmd.exe	107
PID 1184 wrote to memory of 1632	1184	csc.exe	108
PID 1184 wrote to memory of 1632	1184	csc.exe	108
PID 1184 wrote to memory of 1632	1184	csc.exe	108
PID 1416 wrote to memory of 4844	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe	400
PID 1416 wrote to memory of 4844	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe	400
PID 1416 wrote to memory of 4844	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe	400
PID 1416 wrote to memory of 4844	1416	JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe	400
PID 1232 wrote to memory of 3284	1232	TurmoilscapeUpdater.exe	286
PID 1232 wrote to memory of 3284	1232	TurmoilscapeUpdater.exe	286
PID 1232 wrote to memory of 3284	1232	TurmoilscapeUpdater.exe	286
PID 2716 wrote to memory of 2472	2716	csc.exe	1504
PID 2716 wrote to memory of 2472	2716	csc.exe	1504
PID 2716 wrote to memory of 2472	2716	csc.exe	1504
PID 1664 wrote to memory of 1568	1664	TurmoilscapeUpdater.exe	421
PID 1664 wrote to memory of 1568	1664	TurmoilscapeUpdater.exe	421
PID 1664 wrote to memory of 1568	1664	TurmoilscapeUpdater.exe	421
PID 1664 wrote to memory of 1568	1664	TurmoilscapeUpdater.exe	421
PID 3284 wrote to memory of 4000	3284	csc.exe	1210
PID 3284 wrote to memory of 4000	3284	csc.exe	1210
PID 3284 wrote to memory of 4000	3284	csc.exe	1210
PID 1736 wrote to memory of 832	1736	TurmoilscapeUpdater.exe	2513
PID 1736 wrote to memory of 832	1736	TurmoilscapeUpdater.exe	2513
PID 1736 wrote to memory of 832	1736	TurmoilscapeUpdater.exe	2513
PID 2260 wrote to memory of 1344	2260	cmd.exe	124
PID 2260 wrote to memory of 1344	2260	cmd.exe	124
PID 2260 wrote to memory of 1344	2260	cmd.exe	124
PID 1736 wrote to memory of 832	1736	TurmoilscapeUpdater.exe	2513
PID 3400 wrote to memory of 4940	3400	cmd.exe	2209
PID 3400 wrote to memory of 4940	3400	cmd.exe	2209
PID 3400 wrote to memory of 4940	3400	cmd.exe	2209
PID 3020 wrote to memory of 116	3020	cmd.exe	2264
PID 3020 wrote to memory of 116	3020	cmd.exe	2264
PID 3020 wrote to memory of 116	3020	cmd.exe	2264
PID 1344 wrote to memory of 4856	1344	TurmoilscapeUpdater.exe	1453
PID 1344 wrote to memory of 4856	1344	TurmoilscapeUpdater.exe	1453
PID 1344 wrote to memory of 4856	1344	TurmoilscapeUpdater.exe	1453
PID 4940 wrote to memory of 2916	4940	TurmoilscapeUpdater.exe	144
PID 4940 wrote to memory of 2916	4940	TurmoilscapeUpdater.exe	144
PID 4940 wrote to memory of 2916	4940	TurmoilscapeUpdater.exe	144
PID 1232 wrote to memory of 1480	1232	TurmoilscapeUpdater.exe	146
PID 1232 wrote to memory of 1480	1232	TurmoilscapeUpdater.exe	146
PID 1232 wrote to memory of 1480	1232	TurmoilscapeUpdater.exe	146
PID 1232 wrote to memory of 1480	1232	TurmoilscapeUpdater.exe	146

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yoxlxorm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES492F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC492E.tmp"
    3⤵
    PID:5072
- C:\Users\Admin\AppData\Roaming\JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe
  C:\Users\Admin\AppData\Roaming\JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 12
    3⤵
    - Program crash
    PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eraq0-vy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A67.tmp"
      4⤵
      PID:1632
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:1568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 12
      4⤵
      Program crash
      PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u1caqauw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B52.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4B51.tmp"
      4⤵
      PID:2472
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 12
      4⤵
      Program crash
      PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ppo5-e3o.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CAA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4CA9.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4000
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:1480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 12
      4⤵
      Program crash
      PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzrd90_k.cmdline"
    3⤵
    PID:4856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5499.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5498.tmp"
      4⤵
      PID:3928
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rhx7lkie.cmdline"
    3⤵
    PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES549A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5499.tmp"
      4⤵
      PID:2100
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_qna-n8a.cmdline"
    3⤵
    PID:2916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5489.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5488.tmp"
      4⤵
      PID:4092
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q97zwz9z.cmdline"
    3⤵
    PID:4584
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56EB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC56EA.tmp"
      4⤵
      PID:2328
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1816
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vebwxxqn.cmdline"
    3⤵
    PID:872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5729.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5728.tmp"
      4⤵
      PID:2540
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4844 -ip 4844
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1568 -ip 1568
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 832 -ip 832
1⤵
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5056
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o1vv4o89.cmdline"
    3⤵
    PID:2296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AC3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5AC2.tmp"
      4⤵
      PID:5392
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2484
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\75s6hhe6.cmdline"
    3⤵
    PID:1932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E9C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5E9B.tmp"
      4⤵
      PID:4108
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:5716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 12
      4⤵
      Program crash
      PID:6488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2160
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7cmx4cgd.cmdline"
    3⤵
    PID:2500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EAB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5EAA.tmp"
      4⤵
      PID:3028
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:1700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 12
      4⤵
      Program crash
      PID:6592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:228
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bwzeugyo.cmdline"
    3⤵
    PID:5268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES636E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC636D.tmp"
      4⤵
      PID:6580
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:7164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1700
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jwn5fq3n.cmdline"
    3⤵
    PID:2336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES592D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC592C.tmp"
      4⤵
      PID:4452
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1208
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xpryx1h.cmdline"
    3⤵
    PID:5572
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES640A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6409.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6716
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1480 -ip 1480
1⤵
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2332
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q0czkuf1.cmdline"
    3⤵
    PID:5256
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6216.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6215.tmp"
      4⤵
      PID:6292
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:6904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6904 -s 12
      4⤵
      Program crash
      PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k_dawkoz.cmdline"
    3⤵
    PID:5356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES664C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC664B.tmp"
      4⤵
      PID:7072
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:5372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:836
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6h9im0an.cmdline"
    3⤵
    PID:1228
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC64B5.tmp"
      4⤵
      PID:6800
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1648
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c0qpowsr.cmdline"
    3⤵
    PID:5612
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC64F4.tmp"
      4⤵
      PID:6844
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3804
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6044
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pvphmmft.cmdline"
    3⤵
    PID:5412
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES667B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC666C.tmp"
      4⤵
      PID:7124
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1068
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rrehqoz8.cmdline"
    3⤵
    PID:5464
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES614B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC613A.tmp"
      4⤵
      PID:4148
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:6864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6864 -s 12
      4⤵
      Program crash
      PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4900
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fwtndaif.cmdline"
    3⤵
    PID:2180
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES667C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC667A.tmp"
      4⤵
      PID:7140
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xg12ncax.cmdline"
    3⤵
    PID:5168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES666C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC666B.tmp"
      4⤵
      PID:7108
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4488 -ip 4488
1⤵
PID:4520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2576
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjcwgc80.cmdline"
    3⤵
    PID:4452
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66C9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC66C8.tmp"
      4⤵
      PID:4688
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    - Executes dropped EXE
    PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4892
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjbclqvx.cmdline"
    3⤵
    PID:6668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AB1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6AB0.tmp"
      4⤵
      PID:1440
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:8100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4452 -ip 4452
1⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q7mzzbs6.cmdline"
    3⤵
    PID:6192
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6785.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6784.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1896
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3724
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yweai6tr.cmdline"
    3⤵
    PID:6168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B4E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6AFE.tmp"
      4⤵
      PID:6072
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:8092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5068 -ip 5068
1⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5144
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6160
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nsawsnop.cmdline"
    3⤵
    PID:1368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D6E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7D6D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8404
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5152
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p4vkr-n6.cmdline"
    3⤵
    PID:5196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CC2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7CC1.tmp"
      4⤵
      PID:3576
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5180
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6464
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xg8oncc.cmdline"
    3⤵
    PID:5936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CD2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7CD1.tmp"
      4⤵
      PID:6280
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5188
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wo26fiaw.cmdline"
    3⤵
    PID:4844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C65.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C64.tmp"
      4⤵
      PID:6256
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5200
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tx1grzc8.cmdline"
    3⤵
    PID:3096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B7A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7B79.tmp"
      4⤵
      PID:9192
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5208
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5876
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x8dh64dl.cmdline"
    3⤵
    PID:7900
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES852F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC851F.tmp"
      4⤵
      PID:9504
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5220
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\96lzdo6_.cmdline"
    3⤵
    PID:5792
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77F0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC77EF.tmp"
      4⤵
      PID:8784
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:6704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6704 -s 12
      4⤵
      Program crash
      PID:9608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5228
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\spdxmjiz.cmdline"
    3⤵
    PID:5088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES783E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC783D.tmp"
      4⤵
      PID:8832
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:8784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8784 -s 12
      4⤵
      Program crash
      PID:9784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 792 -ip 792
1⤵
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5432
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6220
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b6q30pld.cmdline"
    3⤵
    PID:4272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC77DF.tmp"
      4⤵
      PID:8736
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:4892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 12
      4⤵
      Program crash
      PID:9276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5440
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xt1lmake.cmdline"
    3⤵
    PID:4684
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES851F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC851E.tmp"
      4⤵
      PID:8236
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:10864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5512
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5776
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5nmfkt6.cmdline"
    3⤵
    PID:7888
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC83D7.tmp"
      4⤵
      PID:9996
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5520
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lr-kfz6q.cmdline"
    3⤵
    PID:1220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8500.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84FF.tmp"
      4⤵
      PID:4216
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:10788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1472 -ip 1472
1⤵
PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5920
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xazg-hwe.cmdline"
    3⤵
    PID:8076
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8686.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8685.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:9172
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5928
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qsypqw8d.cmdline"
    3⤵
    PID:7596
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87A0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC879F.tmp"
      4⤵
      PID:1368
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6108
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7bqiygq9.cmdline"
    3⤵
    PID:7920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC83D6.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:9980
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:10368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6116
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\htznxfpb.cmdline"
    3⤵
    PID:3188
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8657.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8656.tmp"
      4⤵
      PID:6896
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6124
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q7wxfyuw.cmdline"
    3⤵
    PID:7656
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EF5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7EF4.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3248
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6132
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ul-5oen-.cmdline"
    3⤵
    PID:7872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83E6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC83E5.tmp"
      4⤵
      PID:10016
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6064 -ip 6064
1⤵
PID:5292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5316
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c1erktqz.cmdline"
    3⤵
    PID:2480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D7F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7D7E.tmp"
      4⤵
      PID:8236
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9884 -s 12
      4⤵
      Program crash
      PID:5132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5348
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:7492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kyotkrzw.cmdline"
    3⤵
    PID:1376
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8677.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8676.tmp"
      4⤵
      PID:5340
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4604 -ip 4604
1⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:8168
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t1x0zoei.cmdline"
    3⤵
    PID:5392
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES857D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC857C.tmp"
      4⤵
      PID:2480
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1688
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cbzdw7h9.cmdline"
    3⤵
    PID:2264
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D7E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7D7D.tmp"
      4⤵
      PID:2716
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:6572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1700 -ip 1700
1⤵
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1932
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:8088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tg9teuwy.cmdline"
    3⤵
    PID:8484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B88.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8B87.tmp"
      4⤵
      PID:10764
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2260
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:8032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irhwp6fa.cmdline"
    3⤵
    PID:8164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8678.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8677.tmp"
      4⤵
      PID:6804
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1072
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o8cazbc_.cmdline"
    3⤵
    PID:8320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8955.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8954.tmp"
      4⤵
      PID:10204
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2884
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:8372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\seivgrri.cmdline"
    3⤵
    PID:8936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C91.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8C90.tmp"
      4⤵
      PID:11052
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5716 -ip 5716
1⤵
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6496
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:8252
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vv5ycfzb.cmdline"
    3⤵
    PID:8956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BB6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8BB5.tmp"
      4⤵
      PID:10816
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:12068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6504
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:7228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ko8khk-2.cmdline"
    3⤵
    PID:8496
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8917.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8916.tmp"
      4⤵
      PID:2784
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6864 -ip 6864
1⤵
PID:7000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6904 -ip 6904
1⤵
PID:7008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7164 -ip 7164
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 720 -ip 720
1⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2068
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\39dstfnl.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D8B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D7B.tmp"
      4⤵
      PID:9736
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:9832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o1e9brj9.cmdline"
    3⤵
    PID:3592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA559.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA558.tmp"
      4⤵
      PID:14672
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:9096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\frattjic.cmdline"
    3⤵
    PID:6592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89E2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC89E1.tmp"
      4⤵
      PID:10244
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5256
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:9672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hi7mcjgq.cmdline"
    3⤵
    PID:9164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA55A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA559.tmp"
      4⤵
      PID:14688
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5844
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:10156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ixspzhh9.cmdline"
    3⤵
    PID:7660
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5A7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA5A6.tmp"
      4⤵
      PID:14812
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 14812 -s 280
        5⤵
        Program crash
        
        PID:6552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 916
    3⤵
    - Enumerates system info in registry
    PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6836
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:9680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\53q0dm2-.cmdline"
    3⤵
    PID:10216
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA53A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA539.tmp"
      4⤵
      PID:14652
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:15304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 15304 -s 12
      4⤵
      Program crash
      PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6244 -ip 6244
1⤵
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2556
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sn6g_ua6.cmdline"
    3⤵
    PID:10020
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1368
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC063.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC062.tmp"
      4⤵
      PID:6724
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:13556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1328
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:9824
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uiisfxfk.cmdline"
    3⤵
    PID:10172
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95A9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC95A8.tmp"
      4⤵
      PID:11412
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 12
      4⤵
      Program crash
      PID:14892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:436
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6588
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oqb4_huz.cmdline"
    3⤵
    PID:6664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C82.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8C81.tmp"
      4⤵
      PID:11036
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:12740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1308
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:9816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0fpgkvs.cmdline"
    3⤵
    PID:8328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA55B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA55A.tmp"
      4⤵
      PID:14716
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:14628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4684 -ip 4684
1⤵
PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5768
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:8756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\drdjk0ve.cmdline"
    3⤵
    PID:5560
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4DC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA4DB.tmp"
      4⤵
      PID:14600
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:15296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7096
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6848
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vzs6usmy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA70E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA70D.tmp"
      4⤵
      PID:15028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 920
    3⤵
    - Enumerates system info in registry
    PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2328
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10524
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntzfmjqx.cmdline"
    3⤵
    PID:11232
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA7D9.tmp"
      4⤵
      PID:15156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5852
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\orsxy6cv.cmdline"
    3⤵
    PID:2728
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB249.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB248.tmp"
      4⤵
      PID:952
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:14384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6608
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:10796
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nkhp2sw7.cmdline"
    3⤵
    PID:9272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD96.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD95.tmp"
      4⤵
      PID:14664
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2436
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-q5lb5ju.cmdline"
    3⤵
    PID:10384
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5572 -ip 5572
1⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:540
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:9132
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxhpem0b.cmdline"
    3⤵
    PID:7884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAA6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA67.tmp"
      4⤵
      PID:6952
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6892
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3rvxigtg.cmdline"
    3⤵
    PID:3448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 6060 -ip 6060
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5372 -ip 5372
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 7128 -ip 7128
1⤵
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:7164
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uefwjkzz.cmdline"
    3⤵
    PID:11004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    - Enumerates system info in registry
    PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4004
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:6148
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bx9dgrvn.cmdline"
    3⤵
    PID:7492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 956
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5244
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\94rtnuth.cmdline"
    3⤵
    PID:10996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8C2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB8C1.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5616
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:5360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3524
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7mtp_0vn.cmdline"
    3⤵
    PID:6780
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0EF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC0EE.tmp"
      4⤵
      PID:12824
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:10708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5952 -ip 5952
1⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6044
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10348
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ix3qjacy.cmdline"
    3⤵
    PID:7508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 836
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6012
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f5cvznaz.cmdline"
    3⤵
    PID:11260
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB363.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB352.tmp"
      4⤵
      PID:7768
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:15196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4248 -ip 4248
1⤵
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1988
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:10596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ux_6ekg_.cmdline"
    3⤵
    PID:9388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    - Enumerates system info in registry
    PID:14328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3088
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\axmkvywb.cmdline"
    3⤵
    PID:2500
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAFC9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAFC8.tmp"
      4⤵
      PID:4000
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7388
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:6180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d74fswmv.cmdline"
    3⤵
    PID:5348
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2A5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC2A4.tmp"
      4⤵
      PID:6256
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7396
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:7472
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lofpoqnm.cmdline"
    3⤵
    PID:6668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 836
    3⤵
    PID:13896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7428
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:12216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f4m-dhel.cmdline"
    3⤵
    PID:12756
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC266.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC265.tmp"
      4⤵
      PID:2488
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:13172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7436
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7732
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q5duzwez.cmdline"
    3⤵
    PID:11604
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEFB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBEFA.tmp"
      4⤵
      PID:10392
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:10804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7564
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\207nxdlr.cmdline"
    3⤵
    PID:11540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 844
    3⤵
    - Checks processor information in registry
    PID:14668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7572
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-wxlhqst.cmdline"
    3⤵
    PID:11964
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC287.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC286.tmp"
      4⤵
      PID:3516
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:7216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7620
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:12232
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\esm_wc4f.cmdline"
    3⤵
    PID:12508
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC39F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC38F.tmp"
      4⤵
      PID:4896
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7628
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddiiaih-.cmdline"
    3⤵
    PID:11628
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEEC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBEEB.tmp"
      4⤵
      PID:2500
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7672
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:5624
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkzo92fg.cmdline"
    3⤵
    PID:11864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE50.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBE4F.tmp"
      4⤵
      PID:10116
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:12100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7684
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wx4fm1cc.cmdline"
    3⤵
    PID:11972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8E1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB8E0.tmp"
      4⤵
      PID:9784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7700
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4otndrdj.cmdline"
    3⤵
    PID:4452
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB17E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB17D.tmp"
      4⤵
      PID:14708
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:6536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7708
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8940
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zhco_ljq.cmdline"
    3⤵
    PID:11920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 960
    3⤵
    - Enumerates system info in registry
    PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8040
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:12224
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\skcqlkpp.cmdline"
    3⤵
    PID:10200
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC48A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC489.tmp"
      4⤵
      PID:13048
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:8652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8048
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zsanqb46.cmdline"
    3⤵
    PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8108
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6060
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:8364
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i8wcdfcn.cmdline"
    3⤵
    PID:12248
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC082.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC081.tmp"
      4⤵
      PID:13440
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8116
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5372
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:6820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\00k3lbbm.cmdline"
    3⤵
    PID:11724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA96.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA57.tmp"
      4⤵
      PID:14576
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 8092 -ip 8092
1⤵
PID:7228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 8100 -ip 8100
1⤵
PID:6188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3596
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lodbwssq.cmdline"
    3⤵
    PID:11672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 868
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7756
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\np6cqutm.cmdline"
    3⤵
    PID:12060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC072.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC071.tmp"
      4⤵
      PID:6636
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:14140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7856
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lh96u2lp.cmdline"
    3⤵
    PID:12360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 848
    3⤵
    - Enumerates system info in registry
    PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7860
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:10812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2gcu-i7.cmdline"
    3⤵
    PID:11824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAA7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA76.tmp"
      4⤵
      PID:3516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 984
    3⤵
    - Enumerates system info in registry
    PID:9376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8280
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:6772
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nm35aqj8.cmdline"
    3⤵
    PID:14908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8288
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:12476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vpbra2_z.cmdline"
    3⤵
    PID:712
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0F0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC0EF.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5284
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:11544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8296
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:11192
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qytcwhj9.cmdline"
    3⤵
    PID:11800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    - Enumerates system info in registry
    PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8304
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:13360
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n9ijvbsr.cmdline"
    3⤵
    PID:6816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 960
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8340
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:6112
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0noeajpc.cmdline"
    3⤵
    PID:12872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC286.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC285.tmp"
      4⤵
      PID:5664
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:14640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8348
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8592
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxccnfv-.cmdline"
    3⤵
    PID:12908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC276.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC275.tmp"
      4⤵
      PID:12544
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8688
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:12708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\40ymdhtk.cmdline"
    3⤵
    PID:13448
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC499.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC498.tmp"
      4⤵
      PID:6624
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:5860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8696
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:12484
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x01xl7tp.cmdline"
    3⤵
    PID:5512
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 872
    3⤵
    - Enumerates system info in registry
    PID:12160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8792
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:12596
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s7xa_ra5.cmdline"
    3⤵
    PID:12184
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC38E.tmp"
      4⤵
      PID:8
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8800
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:11256
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\llwktury.cmdline"
    3⤵
    PID:11152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC073.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC072.tmp"
      4⤵
      PID:6604
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2204
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:12392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ejkiw4yj.cmdline"
    3⤵
    PID:13500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 844
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:15192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5016
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:13368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvjtojxx.cmdline"
    3⤵
    PID:4600
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC3FC.tmp"
      4⤵
      PID:15040
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6704 -ip 6704
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4892 -ip 4892
1⤵
PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8264
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:13328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5feqwjig.cmdline"
    3⤵
    PID:14056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 868
    3⤵
    - Enumerates system info in registry
    PID:14880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:64
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:13352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c7tehryc.cmdline"
    3⤵
    PID:13484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0FF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC0FE.tmp"
      4⤵
      PID:7116
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:8540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 8784 -ip 8784
1⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5688
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:13336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c9zxvz5s.cmdline"
    3⤵
    PID:14104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 960
    3⤵
    PID:14100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5728
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:13344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sellvcem.cmdline"
    3⤵
    PID:14136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 960
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3944 -ip 3944
1⤵
PID:9412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 9632 -ip 9632
1⤵
PID:9840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10024
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:14984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7rpqgysk.cmdline"
    3⤵
    PID:15272
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC370.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC36F.tmp"
      4⤵
      PID:11472
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:9156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10032
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:15228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 9764 -ip 9764
1⤵
PID:10068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10104
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11500
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jzw4jtqp.cmdline"
    3⤵
    PID:13856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC489.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC488.tmp"
      4⤵
      PID:7128
- - C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    C:\Users\Admin\AppData\Roaming\TurmoilscapeUpdater.exe
    3⤵
    PID:15016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10116
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10128
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 15128 -s 152
    3⤵
    - Program crash
    PID:14700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10136
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10184
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 15204 -s 236
    3⤵
    - Program crash
    PID:4692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10192
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:14248
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i9436apl.cmdline"
    3⤵
    PID:14880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 836
    3⤵
    PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 9620 -ip 9620
1⤵
PID:10228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 9808 -ip 9808
1⤵
PID:9196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 9884 -ip 9884
1⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7304
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6160
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 9736 -ip 9736
1⤵
PID:9392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6572 -ip 6572
1⤵
PID:9084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4860
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:14996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3244
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15244
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 840
    3⤵
    PID:14588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4108
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10568
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15300
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l780m4mk.cmdline"
    3⤵
    PID:15288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 10368 -ip 10368
1⤵
PID:10588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10872
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10880
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:11988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2-swtjei.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10888
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:6552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qaznrcmu.cmdline"
    3⤵
    PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10896
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11200
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kaaoor0q.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10904
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:10944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10912
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:7272
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lsadeplb.cmdline"
    3⤵
    PID:7600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10928
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:4372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\khkjgsaw.cmdline"
    3⤵
    PID:2884
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10936
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:2936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\udjq4fmu.cmdline"
    3⤵
    PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10980
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:4000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mmkj5km7.cmdline"
    3⤵
    PID:14556
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2E1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD2E0.tmp"
      4⤵
      PID:12184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9328
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15268
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kb3umvnq.cmdline"
    3⤵
    PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 10864 -ip 10864
1⤵
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 10788 -ip 10788
1⤵
PID:7924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5700
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5476
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5204
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3jyfp40.cmdline"
    3⤵
    PID:8536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5568
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyrgjffo.cmdline"
    3⤵
    PID:12784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9768
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:12176
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9kyyyyz6.cmdline"
    3⤵
    PID:15344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10336
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 11152 -ip 11152
1⤵
PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6332
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 11188 -ip 11188
1⤵
PID:10812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7872
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:9420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dp5mdvo4.cmdline"
    3⤵
    PID:10996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 11200 -ip 11200
1⤵
PID:11252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 11208 -ip 11208
1⤵
PID:7280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4796
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:1376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gz2yyf4f.cmdline"
    3⤵
    PID:14960
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 976
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:15824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 11164 -ip 11164
1⤵
PID:9324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6056
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1zl694fl.cmdline"
    3⤵
    PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1768
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:14476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z49pzbqm.cmdline"
    3⤵
    PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6464
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:13316
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 788
    3⤵
    - Enumerates system info in registry
    PID:16220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9380
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:14004
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f9qvolqd.cmdline"
    3⤵
    PID:14604
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 944
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:16292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4908 -ip 4908
1⤵
PID:7648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 9348 -ip 9348
1⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8500
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:13880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1hvhvzgp.cmdline"
    3⤵
    PID:12312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7908
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:15032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\45hss85p.cmdline"
    3⤵
    PID:8588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 9336 -ip 9336
1⤵
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11188
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2096 -ip 2096
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 11000 -ip 11000
1⤵
PID:11492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11516
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11556
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:11608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xiy0b4po.cmdline"
    3⤵
    PID:14576
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:12060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11564
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11576
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11640
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11648
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:1984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tu0rx0ak.cmdline"
    3⤵
    PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11684
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:12528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dwneebau.cmdline"
    3⤵
    PID:10788
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 928
    3⤵
    - Enumerates system info in registry
    PID:16304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11692
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11700
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:14280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11708
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11760
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:2000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 848
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:16000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11768
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 920
    3⤵
    PID:15672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11776
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:4832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_xjkda7y.cmdline"
    3⤵
    PID:12492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11880
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11896
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:13324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11904
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:11512
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4jnnu38z.cmdline"
    3⤵
    PID:13636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12204
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2400 -ip 2400
1⤵
PID:8708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8808
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:14192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5144
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11600
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:9428
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\68bluxah.cmdline"
    3⤵
    PID:15352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 9812 -ip 9812
1⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1040 -ip 1040
1⤵
PID:9160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 11452 -ip 11452
1⤵
PID:9148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11732
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 872
    3⤵
    - Checks processor information in registry
    PID:15944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12296
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8312
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    - Checks processor information in registry
    PID:16312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12340
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:6728
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 876
    3⤵
    - Checks processor information in registry
    PID:15684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12372
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:7328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 936
    3⤵
    - Enumerates system info in registry
    PID:16380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12380
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:13060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\edkj2elf.cmdline"
    3⤵
    PID:9072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12832
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12848
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:14988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12856
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13064
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e9cw9goz.cmdline"
    3⤵
    PID:15412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13072
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13080
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:1100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sfsblz6s.cmdline"
    3⤵
    PID:8492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13096
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 12068 -ip 12068
1⤵
PID:13128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13280
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:12136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 924
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:15888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13288
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 11408 -ip 11408
1⤵
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 12740 -ip 12740
1⤵
PID:12632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12452
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:13984
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 836
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:16200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12000
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:10820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11456
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13400
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dh3d32--.cmdline"
    3⤵
    PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13408
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:14764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13416
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:2988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 872
    3⤵
    PID:16324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13424
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:12812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14008
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:9812
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:4976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jteszlga.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14028
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14036
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:9084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14116
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14156
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:5460
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oql2zkgw.cmdline"
    3⤵
    PID:11340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14164
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:8452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14172
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:1504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wuolpull.cmdline"
    3⤵
    PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14180
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:11412
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sokhyjyw.cmdline"
    3⤵
    PID:9652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 932 -ip 932
1⤵
PID:6916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14736
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  PID:9196
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\os3oum9r.cmdline"
    3⤵
    PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14744
- C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
  2⤵
  - Adds Run key to start application
  PID:10508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 15128 -ip 15128
1⤵
PID:15352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 15296 -ip 15296
1⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 9908 -ip 9908
1⤵
PID:14680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 14628 -ip 14628
1⤵
PID:6320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 12388 -ip 12388
1⤵
PID:9980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 15204 -ip 15204
1⤵
PID:6612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 6668 -ip 6668
1⤵
PID:11232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 9864 -ip 9864
1⤵
PID:14600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 12360 -ip 12360
1⤵
PID:14356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3448 -ip 3448
1⤵
PID:14580

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv dWgwqEegKEu/rdlWEnMzpA.0.2
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 7508 -ip 7508
1⤵
PID:8588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6536 -ip 6536
1⤵
PID:10704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 14384 -ip 14384
1⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 15196 -ip 15196
1⤵
PID:10536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8260
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:6244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7504
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:13500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:8496
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:2784
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6820
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:12756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 6812 -ip 6812
1⤵
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5604
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:10816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15196
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:13448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 5360 -ip 5360
1⤵
PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 6276 -ip 6276
1⤵
PID:12808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 10804 -ip 10804
1⤵
PID:13856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:9316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:10680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:12708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:6220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:7748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:14124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:13748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:11440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 12100 -ip 12100
1⤵
PID:15424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:15600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 5100 -ip 5100
1⤵
PID:16132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:16108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe
1⤵
PID:16116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\TurmoilscapeUpdater.exe.log

Filesize
308B

MD5
1941623a471e15f0e2ca7dbadd577fdc

SHA1
f7df5d8a54a66191bb1a4518c9cddb3fd61f225b

SHA256
19a17b2ee8664b5dc68810ee4bca9bfe4370ce7bd3d640fa3bd0fa03efc45f6f

SHA512
6e33e3955340711e3e36c36c30eb869003e361083eed1f3ca914d1085f9477a1f9f94010b9834e8ec5580de8ddb33c3256791d5f6fd7c3a1636c6963de309e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES492F.tmp

Filesize
1KB

MD5
e0eb11d072879d8b746b46627a323dc3

SHA1
cc7c2f9b1c4464f560c86c51fb5962434a0cae32

SHA256
d51a81a97e1c4548f692de949a5c5bf5b508205e8c46ff6e9d7b486aa594b877

SHA512
8572ce2d03a179968f74c59776297055be999e5115c6320eb98d3b84607ee63a11dbb1b0f7ef1266d3266e8ca851565cb05dcf37970417896a0ebc4a67051d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4A68.tmp

Filesize
1KB

MD5
dd3e54d1b7fd158bd0d865d23eb18a24

SHA1
353be957f5f291683c329b9b0374e421749fee23

SHA256
ff3d9cf77aa07ebdd9bb061a816e7274a690331c32bc3c522946ce5c5ffbfdc9

SHA512
5fe6a6ad79f4aeb11b05ce2df306bf9d6d93417c72deb10d4d64ae03a4054d3e92a742e455a4ed05a9df388cc64cb635e5d52e24682266061fb85394821fdc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B52.tmp

Filesize
1KB

MD5
c1fcacbf591bf669c92f710e5e0d1012

SHA1
603fa074ae26a0be7789ca4c6968cad4d590b4c3

SHA256
0aa3b93a58990840807bf7ae8fdfa53a2b3ab188ca79c33d1cc40d2270c7b0c2

SHA512
40c83bb278259c1630af4c740cfddb137ecbefb249bdacf35d441d73083d6d2a7d86d5db33ab7317ec67e986753b442cd23da585959d2e0bb9dfcf78f7186d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CAA.tmp

Filesize
1KB

MD5
7f968f21872b2a28c30baa190f00d673

SHA1
fdf63a81241abbc524d655ee70e3750baee6db87

SHA256
424c361336efeebd7b2142c6d1887ab331d9b81d7097e4f610847f683df0eadd

SHA512
db41e0f03d9fb3945e5e150bac907d5991ac6b4d540b4da4aab242c1d5a6dfbb5a143624148b35b771b1044edd641bf90fdc609c40cffaf77e5fd343a6a46345

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5489.tmp

Filesize
1KB

MD5
d38921983f36bd7cd0202a0233954751

SHA1
d4cc367c342480a66bd2b9f85fe5c0790782c281

SHA256
550d617860b16adb6a6d3d34c0c66e0e1a783cec9be5b98aa4a6db8359364fcd

SHA512
fea07d15ae309195823af89f87e8a27045dd8d9797c71da602d513e14def0f3124a529d9464604ad823ede4eaf86d42e5f399be920f83a3afa5137df49447e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5499.tmp

Filesize
1KB

MD5
ac87a4c91b0c2e3133e7e6579e899e84

SHA1
6389cca3a03150d2e1f16f644646c84b36294df4

SHA256
bcc7c3ff237bccd6333aec36213b973ec9dc66de3330e05e097b548308ca27c8

SHA512
3905b2c642ae0fa126168478dc737347204a7e3665d18d2c3e28707e82825a34e953ca83cc3615d130506a625092c1a5a8f5968d889af5faefab4880dc7afde0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES549A.tmp

Filesize
1KB

MD5
6fb4ce5a47660362852e037a64155e7c

SHA1
ab9608fc9dd6de8aa565c0b02f2cca9fdc65a200

SHA256
97ebe9550c03af94a0e33dbf65c2275ce5623471dac04becb9ab9052df52fa1a

SHA512
51409ccf63bcdd8722d4878054b22938d3004e1d751d99205f73b52676c15d9fd5c6d0e21f60cdf737ef8c8068ac940263886b6cc0297074d19bb5d8fbd76731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_qna-n8a.dll

Filesize
5KB

MD5
c531dead0ab37af4199759d2be86bcaa

SHA1
6ca809c069b545a70700215fe0d68180f1da7635

SHA256
219e7683d9934b346c3ae9d2d11994e7a0e1078ae56eb8446efedab1266b60cd

SHA512
b731f62127ddcd7d43bc013bd8a83562d493991ba945b35f79d9077fe2c3e5f7189821c1075131e8b5e21ed7ceb22f4ca4610311257e1e6884e0d4fc71e01f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzrd90_k.dll

Filesize
5KB

MD5
aef47047967e355bda4258120b6b39f7

SHA1
536f29f40a7f1e1316b1c8b8522f60b2e3fd3dfd

SHA256
7099192fc36fdbcb4e7820cfd20472f54b53d4b459c299553e94307ac7f22780

SHA512
1d9a6d97d13d19f11abdacb710b7c00c79da01d7d2b12961608c03008b2b13f9b6d2da573a0935f6215522802f8a74abae6f74d7082efc4e477aab611af34d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eraq0-vy.dll

Filesize
5KB

MD5
64d23e6efeeeedfa16430def98d33d4c

SHA1
45db034e99ce6072a7add381eb1bce4d9bbbedc5

SHA256
40517b68e5e7060700ff1c70abfd109b4d23ebf479a0c31a106ac092097a6aa9

SHA512
d95046b6736c81abf99f31911ba2be57cae76d0ce836f2dcd2014680416b163ab94d4a1d0faa4c053c90f63464379213f66d4352d06a277d85f100d5f8c7d77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppo5-e3o.dll

Filesize
5KB

MD5
90cf3bbe467208abf02787328abe78ba

SHA1
bfe0aa49caaede6363f06eed2e9a6d1efe005c6e

SHA256
cfaa3212f8271ffae83b12e5d81ffc39bf9d36ea5f5739f6dc7723dd13754352

SHA512
f0ac90260a50b903c53b7ebac07fd79c9ae25a10231cf627fa98f3233634cf075dc5e793e66548daca3f9a8cb0f49aa1ef2fb5cab29e1bd58526dc28c0873d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhx7lkie.dll

Filesize
5KB

MD5
b19c0724bf103678d801c8dd4438593b

SHA1
442ab1d789513b91ab9fd4d9a3004c21d2851ac1

SHA256
64ee12260a712da762ec7e8ad13c4b4e085a2116c26f68f6c7c7140c766587de

SHA512
160acf1b00c7ff4484a0821148dae061ffd7d1766820027dc1bad41219120524aee31c851860f7c01acf95556c8bf7194898d4786637ee38e163b51703e1b6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1caqauw.dll

Filesize
5KB

MD5
ee0131eb9b22fc4297bf0ea36134c80c

SHA1
63e8d4186e67b95156af1768162827acee20039e

SHA256
5ef100ec8fe8ee4ea737a312896ecc5a8c805b7d617701e452b2d2e4c00ec957

SHA512
668dfcbeb9b942e95652762d2ad2d23379e931ebbc91dbd66299cdfc578ea2943179c5f9b2621da6ce106fb640274f44642070a600db75e03ba75f2bde1e6c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoxlxorm.dll

Filesize
5KB

MD5
9b2fe63e992cbaa558f55aa449ddc117

SHA1
517f431aa78cf4f8f0eaea47201d8c72bc458e2f

SHA256
34a0740ba0ed0d1bd55be3916cdf2ce2350d3230a68e9be587ea335bc06e115d

SHA512
3065693c76a08b3605fda420f418382648fc495b3b69f8cc728599d64bc5d8801dc611778534815d27d43f4d72552995716903b2b81ad82cd609c0ff2dfacb34

Download Submit
C:\Users\Admin\AppData\Roaming\JaffaCakes118_99180aba4fcef4c831dd34f4c66cd52e.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Users\Admin\AppData\Roaming\Turmoilscape\TurmoilscapeUpdater.exe

Filesize
364KB

MD5
99180aba4fcef4c831dd34f4c66cd52e

SHA1
58ada9bab31fe9f2184b605678aa203fafc4f2ac

SHA256
1459890537a96e964089709f6a4dc704f422fe6949a6492784acb46c624f793d

SHA512
9b80eb9d4000521237fd520274eed9cb6dd8bf69b2967aa76168b6d148148915c98fcd0619d01d066543cf4ea8a5c1662ad7565b232e5c715423db2fe4a489fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC492E.tmp

Filesize
652B

MD5
ce805c9a53e37062dd11d0fbbb5a5b66

SHA1
b55b81569ca457fb423d891abff48a33e1a92ed7

SHA256
f83e15484f93e769761b5249713a54e5322fe6ac43456774af5cc72aa5012bff

SHA512
32913d670aae6a64855b48c3a2966df64b93e04862fe35b4f5f0325712375fbe5ec41d3fbd5f16fdb3b53dec8aca1544331860379b895eefdd9da12b3630b259

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4A67.tmp

Filesize
652B

MD5
743fe7cfe30edf9a104277b25b92e4e4

SHA1
09451e350d8349a0bd8bae57baa6c5d10b73f707

SHA256
d43419f4922f1708ad2cc46b4248b9b580be6dcc63897672105f76bdbaeaea49

SHA512
976141c38769a5be522535f08de4880516210d8c5adbba1535d0ea52772f80f4f55311e0255ce885d21d244858d9d5fe721067e6a96f03341414f8ab8a90d24b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4B51.tmp

Filesize
652B

MD5
c0cd3d21b5e9c2967b666c30f3808e54

SHA1
3277a4a56c919e217d9c88581b4752e9c47d778d

SHA256
8fa9eb341d38823722b21cf55552ee3f2160aa61711d246b835cb4a0865e5568

SHA512
21ad1f7779d62cb4bebb56ae01e5cc3c8eafa1130b12ef8cd9e9adc1b67b2b9dbd64ed017cde943f8e7a4cc44576f6be144c563a61dc80b8752b837276d2ee18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4CA9.tmp

Filesize
652B

MD5
838256c02f800a7bdaeda4b7bad71bc0

SHA1
e8b3b51a223e5e786556ea2bdfe0ef718c115031

SHA256
1c32f0fc2d808506cb5782e2a850bb60f706a7ce86e9407b108de7c58a677d4e

SHA512
31bb3cde094d30fcba273de03154e12e2c829f9a9e2e6b1e3dfc7207b1725c5ed865dec43b9c7d02a86e0be524ab2a852d1fa1e91b245e183e6b9976a79bc150

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5488.tmp

Filesize
652B

MD5
34d2910f5ae61e35310285e66ccc5373

SHA1
259bfdd9dde35894cdc717b1af1532f7108467d6

SHA256
0bf72217a7000bada77e0e554af83130654343741e2d54bc5ac488bab560969f

SHA512
4080b7a2bd0f08718e02503fda72f6d3ad072de5b635941e0e5b502f4f43aa1b14027a85bf9d684cce5c3d3221b84b5ee1ba998ac3fca627b470f35446990e5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5498.tmp

Filesize
652B

MD5
6e0fe7b76b9f72d5e21f2f0fcc4d8d7f

SHA1
a9ef26e88d9a4b89276e3dc7315f02fdfdcfb087

SHA256
310d6fd2079d2de3dd161b74e1d6c368eb04de9a4b904909a08f4c2f48b0562b

SHA512
d0ec629e9c5fe4447f93ea5077485c6aa6a53f088965c8b629f23ec87e0fd7eff81a8f7c7da69d56999733434fdbee38747a018c893fe6dff84d30ee133fcf9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5499.tmp

Filesize
652B

MD5
d8fcb9e2e3ff78a0b34f442d1e4e73fd

SHA1
ad7c9df112030649d2684e831a1d10d034f52867

SHA256
f9b476fef9058dea307d13151ecb59eab28d093203eb538f730cb4b802e03d09

SHA512
d7d2bc18d54783efc8a55f52c03164c4a8fa8b89aa1f2a48045ea65bba6cb99252c166da5a5d5685ebac66ee4b75d49ab7a1afb53389df9f0aff96413709e0f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC56EA.tmp

Filesize
652B

MD5
36d87b291ad3470e543527afde5552dc

SHA1
bae5a6118b38e8ee779e2c1b789f26cfe207feb5

SHA256
b2190115cec8d823d997c2618c2cb68a29563ab08b15b437ec20151c0ab2b127

SHA512
206d50709dfd09471676ca5958e6975ba9f259fc610a2a6157dd7e7982c34bffb2ef38b96015f35629e4a22be319dca146850ebbf0176c1eb152c3f36bddc1e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5728.tmp

Filesize
652B

MD5
3356da729b3beac995d6294c7bb05bd8

SHA1
e3c97dba92b91e5cad24b34ba71ef5445ce76482

SHA256
cbf32fe3bfda2bf7a4abb69037e6cfabd16ff22c441f4cd881fc03f50ec54f9d

SHA512
68b89b0b6cb53fed592331d41537fc0aa10c69d95709ce77e4860ae63fb699e8cc5e3a2ebb6fa08e63a785e7ef4282acac7982c358bb94611a1c771dbef9a42a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_qna-n8a.cmdline

Filesize
206B

MD5
f411e4e530ab8e6e3e0a94af96048168

SHA1
48e47aa72398d55e6efd8ee98ef826c0c8bd9449

SHA256
fe824ed33aefc672e03d21bc161eb1343024de5380bbb27ac29d308290fec9d0

SHA512
c71cf143335fba79f319865a59e5c44e9d02ba770db9c844ab34eff2034bd7a4b2d796b6237ba1c2ff35b93704aa265b4172e2516290451530f190120c026847

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dzrd90_k.cmdline

Filesize
206B

MD5
8309fabe037199c7ec65e5b28574625a

SHA1
23c30561ec8d6b884d8f8f6a5ae49b2b6565c677

SHA256
d50166bb7b2b1be1a832314f238bb8186ac1b2ccd9da364043b82e49fffc8e1f

SHA512
8b97d467b7d12bb03de583256f2c2dd99fd975fefd9fc54651a246e9cdf05bb2bc3d2aedce820e10df94ffece7f11a70585827b5a91409f98a7306f7588aef8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eraq0-vy.cmdline

Filesize
206B

MD5
8e089d44e653133e1d467288cc928233

SHA1
f6c09859f03fbcbd8b891735734b7a9e623cbc14

SHA256
34d8b7dc248ffc97099f2d6eafd66227ab4d24368f43ac0f59baf5872c68af64

SHA512
e25a9fb1b9cc6af154e704ddcca80df2bf223ea103d704e1a515e19d96055222597adc4caed75810e4aee67224ea8e1f6884980e0dc515e351fb6c52b4e1b9a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jwn5fq3n.cmdline

Filesize
206B

MD5
5a5c1fee0dd727657e140c10b7adee31

SHA1
62275ffb3c5dde369037eac29301998677032ce5

SHA256
9fb3979ad2dee4689e333871ee1510d770977f3da1679c0c8d04f3d45635e5f9

SHA512
3b392688c141138c0e67732b7724cbabb0c8cf9001b758dc059b0ab54ead83cf9f0c500c0ac13279c65a631f8a56247e4d464d821579604a9480ca8b31b247db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ppo5-e3o.cmdline

Filesize
206B

MD5
749a61056a56539304f502472eaef433

SHA1
ece88f8588f224212ec95287371d7c4825119d90

SHA256
e8dfc760d6c11002758e799e0e7b89c3f993ae1a74454ccfaa4f67085f3fb18b

SHA512
bf4b4b6ad1b500d94f99dbdca4cdada71aed9f11628efbcb1bfbe17f44d725f08acfef2d8eb30e918dd24429e7069e9e1a5eaae55f2af2748a31abf095236abe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q97zwz9z.cmdline

Filesize
206B

MD5
b0b5cfcbe9e7aa6192a1e679ddf28a3b

SHA1
d3a99a5d27d834f7e8344800d846c16cfa9d0be8

SHA256
b23257025876c7d02dbcfa5c8f95507810d648fcc7114015edcc7d75177d4252

SHA512
95b63e39ce29f5fb855c86b3dc77b0b2ef7b6ccf9b1bcda25b1977dc2f434f1b30156a88146f73e44479319fbc6d461e9a5e03a1985d0af634d87fae4bba9d8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rhx7lkie.cmdline

Filesize
206B

MD5
5c6ac7e13b050c68f466e5c97658daba

SHA1
d5df3ac131e50e560c7fb5d564517d89d4bc7742

SHA256
82a6f6896010d41b3b6cf6584c31d252bc807e66edae71ce92d61adde971857c

SHA512
8a0062beaad8008230887f44268b37a294caeaf4dbe772e300618da4b62e6e0316ec63645221b4cd242cbc4ae33f55029687f7747086d5548c9320cb7afcd8be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\u1caqauw.cmdline

Filesize
206B

MD5
d44aa5b4799e6eb4754d920807fd0455

SHA1
5684de7c0a73cf85cde521a04519e708ac10f654

SHA256
d48489a2cae11f30c1c414c2b13a9370736bcb6ca88bf0b23653bdf323f7f29c

SHA512
0b1129918b8ff88cdcf8fbf19148f0aec97497ffa7b4bb485d147800e0ea334f4cd97cd666104c3fb5251eb393104df3a558175de08a8625b610434e49bea26d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vebwxxqn.cmdline

Filesize
206B

MD5
9c975e4e6f52a6ec62505c82e07d1965

SHA1
cf6901f52c0b9473bba5c9a936aeb3869efecfd6

SHA256
eb8c4f808908361d182c0122ec75c5b6c1149057e5387b9ee0145adf922f2a7c

SHA512
715da67cfb7e2b014e59a4c10dec35685001481d378ff50ad6c977757dfff0040b1266ab0b8b13c6dc41c42d0e85d17a5ef29ef87a8656ad0af2d782aa35a041

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yoxlxorm.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yoxlxorm.cmdline

Filesize
206B

MD5
9861610f12c8aa6f7eb12ebab445374d

SHA1
90967e41c432dc76c72afc3836ae7cff355e1cca

SHA256
6a5f4ff1f67072d99c0f000b0cd70ce0a06a512eb2985c4fe6477b900d0e766d

SHA512
62d21ba4fd646aa200b7168e749bb7ca0e5f74e684befd4dd7f7589c709330f1a117c572c1219f297425782785a56498bd38c162ca64876108b782310df80bc6

Download Submit
memory/1416-2-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1416-1-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1416-44-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1416-0-0x00000000748A2000-0x00000000748A3000-memory.dmp

Filesize
4KB

Download
memory/1664-25-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1664-61-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1664-22-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1736-10-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1736-12-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1736-74-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1736-17-0x00000000748A0000-0x0000000074E51000-memory.dmp

Filesize
5.7MB

Download
memory/1896-2311-0x00007FFBB8030000-0x00007FFBB8225000-memory.dmp

Filesize
2.0MB

Download
memory/6524-1746-0x00007FF7DDE50000-0x00007FF7DDEB7000-memory.dmp

Filesize
412KB

Download
memory/7304-1209-0x00007FF7DDE50000-0x00007FF7DDEB7000-memory.dmp

Filesize
412KB

Download
memory/7628-1213-0x00007FF7DDE50000-0x00007FF7DDEB7000-memory.dmp

Filesize
412KB

Download
memory/10524-870-0x0000000075F10000-0x0000000076030000-memory.dmp

Filesize
1.1MB

Download
memory/11176-2335-0x0000000075460000-0x00000000754D5000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads