ProcessFlow

INFO

ProcessID 1068 Spawned

07-02-2017-22-10-38, PING.EXE, 880 PARENT: cmd.exe ** null

 ... PING  -n 5 127.0.0.1

ProcessID 1612 Spawned

07-02-2017-22-06-28, cmd.exe, 2840 PARENT: kara_sample.exe ** null

 ... "C:\\windows\\system32\\cmd.exe" /c icacls C:\Users\xxx\AppData\Local\Temp\ /grant Everyone:F /T /C /Q

&& ProcessID 2840 Spawned

07-02-2017-22-06-30, icacls.exe, 2616 PARENT: cmd.exe ** null

07-02-2017-22-06-30, Microsoft.vshub.32.exe, 2964 PARENT: kara_sample.exe ** C:\Users\xxx\AppData\Local\Temp\Tor\Microsoft.vshub.32.exe

 ... "C:\Users\xxx\AppData\Local\Temp\Tor\\Microsoft.vshub.32.exe" -f .\\torrc

07-02-2017-22-06-43, cmd.exe, 2940 PARENT: (null) ** null

 ... "C:\\windows\\system32\\cmd.exe" /c PING -n 30 127.0.0.1 & del /f /q "%temp%\*.*"

&& ProcessID 2940 Spawned

07-02-2017-22-06-44, PING.EXE, 512 PARENT: cmd.exe ** null

ProcessID 1720 Spawned

07-02-2017-22-13-17, PING.EXE, 1988 PARENT: cmd.exe ** null

 ... PING  -n 30 127.0.0.1

ProcessID 1736 Spawned

07-02-2017-22-05-11, TPAutoConnect.exe, 2812 PARENT: TPAutoConnSvc.exe ** null

 ... TPAutoConnect.exe -q -i vmware -a COM1 -F 30

ProcessID 196 Spawned

07-02-2017-22-10-37, cmd.exe, 1068 PARENT: (null) ** null

 ... "C:\\windows\\system32\\cmd.exe" /c PING -n 5 127.0.0.1 & del /f /q "%temp%\*.*"

&& ProcessID 1068 Spawned

07-02-2017-22-10-38, PING.EXE, 880 PARENT: cmd.exe ** null

ProcessID 2060 Spawned

07-02-2017-22-05-13, cmd.exe, 2852 PARENT: ProcFileAll.exe ** null

 ... "C:\Users\xxx\Desktop\REAL\procexp.exe"

&& ProcessID 2852 Spawned

07-02-2017-22-12-42, explorer.exe, 1688 PARENT: procexp64.exe ** null

07-02-2017-22-05-13, cmd.exe, 908 PARENT: ProcFileAll.exe ** null

ProcessID 2072 Spawned

07-02-2017-22-10-55, Microsoft.vshub.32.exe, 3024 PARENT: kara_sample.exe ** C:\Users\xxx\AppData\Local\Temp\Tor\Microsoft.vshub.32.exe

 ... "C:\Users\xxx\AppData\Local\Temp\Tor\\Microsoft.vshub.32.exe" -f .\\torrc

07-02-2017-22-13-16, cmd.exe, 1720 PARENT: kara_sample.exe ** null

 ... "C:\\windows\\system32\\cmd.exe" /c PING -n 30 127.0.0.1 & del /f /q "%temp%\*.*"

&& ProcessID 1720 Spawned

07-02-2017-22-13-17, PING.EXE, 1988 PARENT: cmd.exe ** null

07-02-2017-22-13-16, cmd.exe, 2524 PARENT: (null) ** null

07-02-2017-22-13-17, cmd.exe, 1720 PARENT: (null) ** null

 ... "C:\\windows\\system32\\cmd.exe" /c PING -n 30 127.0.0.1 & del /f /q "%temp%\*.*"

&& ProcessID 1720 Spawned

07-02-2017-22-13-17, PING.EXE, 1988 PARENT: cmd.exe ** null

ProcessID 2184 Spawned

07-02-2017-22-05-08, explorer.exe, 2220 PARENT: (null) ** null

 ... C:\Windows\Explorer.EXE

&& ProcessID 2220 Spawned

07-02-2017-22-05-10, vmtoolsd.exe, 2368 PARENT: explorer.exe ** null

07-02-2017-22-05-13, ProcFileAll.exe, 2060 PARENT: explorer.exe ** C:\Users\xxx\Desktop\Process\ProcFileAll.exe

07-02-2017-22-05-55, procexp.exe, 2464 PARENT: explorer.exe ** C:\Users\xxx\Desktop\REAL\procexp.exe

07-02-2017-22-06-20, kara_sample.exe, 1612 PARENT: explorer.exe ** null

07-02-2017-22-10-37, gggggg.exe, 196 PARENT: explorer.exe ** null

07-02-2017-22-10-53, kara_sample.exe, 2072 PARENT: explorer.exe ** null

ProcessID 2220 Spawned

07-02-2017-22-05-10, vmtoolsd.exe, 2368 PARENT: explorer.exe ** null

 ... "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr

07-02-2017-22-05-13, ProcFileAll.exe, 2060 PARENT: explorer.exe ** C:\Users\xxx\Desktop\Process\ProcFileAll.exe

 ... "C:\Users\xxx\Desktop\Process\ProcFileAll.exe"

&& ProcessID 2060 Spawned

07-02-2017-22-05-13, cmd.exe, 2852 PARENT: ProcFileAll.exe ** null

07-02-2017-22-05-13, cmd.exe, 908 PARENT: ProcFileAll.exe ** null

07-02-2017-22-05-55, procexp.exe, 2464 PARENT: explorer.exe ** C:\Users\xxx\Desktop\REAL\procexp.exe

 ... "C:\Users\xxx\Desktop\REAL\procexp.exe"

&& ProcessID 2464 Spawned

07-02-2017-22-05-56, procexp64.exe, 2852 PARENT: procexp.exe ** null

07-02-2017-22-06-20, kara_sample.exe, 1612 PARENT: explorer.exe ** null

 ... "C:\Users\xxx\Desktop\kara_sample.exe"

&& ProcessID 1612 Spawned

07-02-2017-22-06-28, cmd.exe, 2840 PARENT: kara_sample.exe ** null

07-02-2017-22-06-30, Microsoft.vshub.32.exe, 2964 PARENT: kara_sample.exe ** C:\Users\xxx\AppData\Local\Temp\Tor\Microsoft.vshub.32.exe

07-02-2017-22-06-43, cmd.exe, 2940 PARENT: (null) ** null

07-02-2017-22-10-37, gggggg.exe, 196 PARENT: explorer.exe ** null

 ... "C:\Users\xxx\Desktop\gggggg.exe"

&& ProcessID 196 Spawned

07-02-2017-22-10-37, cmd.exe, 1068 PARENT: (null) ** null

07-02-2017-22-10-53, kara_sample.exe, 2072 PARENT: explorer.exe ** null

 ... "C:\Users\xxx\Desktop\kara_sample.exe"

&& ProcessID 2072 Spawned

07-02-2017-22-10-55, Microsoft.vshub.32.exe, 3024 PARENT: kara_sample.exe ** C:\Users\xxx\AppData\Local\Temp\Tor\Microsoft.vshub.32.exe

07-02-2017-22-13-16, cmd.exe, 1720 PARENT: kara_sample.exe ** null

07-02-2017-22-13-16, cmd.exe, 2524 PARENT: (null) ** null

07-02-2017-22-13-17, cmd.exe, 1720 PARENT: (null) ** null

ProcessID 2464 Spawned

07-02-2017-22-05-56, procexp64.exe, 2852 PARENT: procexp.exe ** null

 ... "C:\Users\xxx\Desktop\REAL\procexp.exe"

&& ProcessID 2852 Spawned

07-02-2017-22-12-42, explorer.exe, 1688 PARENT: procexp64.exe ** null

ProcessID 2604 Spawned

07-02-2017-22-05-12, SearchProtocolHost.exe, 2644 PARENT: SearchIndexer.exe ** null

07-02-2017-22-05-12, SearchFilterHost.exe, 1232 PARENT: SearchIndexer.exe ** null

07-02-2017-22-10-35, SearchProtocolHost.exe, 2784 PARENT: SearchIndexer.exe ** null

07-02-2017-22-10-36, SearchFilterHost.exe, 984 PARENT: SearchIndexer.exe ** null

07-02-2017-22-12-43, SearchProtocolHost.exe, 2532 PARENT: SearchIndexer.exe ** null

07-02-2017-22-12-44, SearchFilterHost.exe, 1564 PARENT: SearchIndexer.exe ** null

ProcessID 2840 Spawned

07-02-2017-22-06-30, icacls.exe, 2616 PARENT: cmd.exe ** null

 ... icacls  C:\Users\xxx\AppData\Local\Temp\ /grant Everyone:F /T /C /Q

ProcessID 2852 Spawned

07-02-2017-22-12-42, explorer.exe, 1688 PARENT: procexp64.exe ** null

ProcessID 2940 Spawned

07-02-2017-22-06-44, PING.EXE, 512 PARENT: cmd.exe ** null

 ... PING  -n 30 127.0.0.1

ProcessID 336 Spawned

07-02-2017-22-05-02, csrss.exe, 348 PARENT: (null) ** null

07-02-2017-22-05-03, wininit.exe, 400 PARENT: (null) ** null

&& ProcessID 400 Spawned

07-02-2017-22-05-03, services.exe, 500 PARENT: wininit.exe ** null

07-02-2017-22-05-03, lsass.exe, 508 PARENT: wininit.exe ** null

07-02-2017-22-05-03, lsm.exe, 516 PARENT: wininit.exe ** null

ProcessID 392 Spawned

07-02-2017-22-05-03, csrss.exe, 408 PARENT: svchost.exe ** null

&& ProcessID 408 Spawned

07-02-2017-22-05-11, conhost.exe, 2820 PARENT: csrss.exe ** null

07-02-2017-22-05-13, conhost.exe, 2040 PARENT: csrss.exe ** null

07-02-2017-22-06-29, conhost.exe, 1252 PARENT: csrss.exe ** null

07-02-2017-22-06-30, conhost.exe, 1832 PARENT: csrss.exe ** null

07-02-2017-22-06-44, conhost.exe, 1444 PARENT: csrss.exe ** null

07-02-2017-22-10-38, conhost.exe, 2376 PARENT: csrss.exe ** null

07-02-2017-22-10-55, conhost.exe, 1492 PARENT: csrss.exe ** null

07-02-2017-22-13-16, conhost.exe, 2088 PARENT: csrss.exe ** null

07-02-2017-22-13-16, conhost.exe, 1232 PARENT: csrss.exe ** null

07-02-2017-22-05-03, winlogon.exe, 464 PARENT: svchost.exe ** null

ProcessID 400 Spawned

07-02-2017-22-05-03, services.exe, 500 PARENT: wininit.exe ** null

&& ProcessID 500 Spawned

07-02-2017-22-05-03, svchost.exe, 628 PARENT: services.exe ** null

07-02-2017-22-05-04, vmacthlp.exe, 688 PARENT: services.exe ** null

07-02-2017-22-05-04, svchost.exe, 720 PARENT: services.exe ** null

07-02-2017-22-05-04, svchost.exe, 772 PARENT: services.exe ** null

07-02-2017-22-05-04, svchost.exe, 884 PARENT: services.exe ** null

07-02-2017-22-05-04, svchost.exe, 932 PARENT: services.exe ** null

07-02-2017-22-05-04, svchost.exe, 392 PARENT: services.exe ** null

07-02-2017-22-05-05, svchost.exe, 1036 PARENT: services.exe ** null

07-02-2017-22-05-05, spoolsv.exe, 1152 PARENT: services.exe ** null

07-02-2017-22-05-05, svchost.exe, 1188 PARENT: services.exe ** null

07-02-2017-22-05-05, sppsvc.exe, 1360 PARENT: services.exe ** null

07-02-2017-22-05-05, VGAuthService.exe, 1396 PARENT: services.exe ** null

07-02-2017-22-05-05, vmtoolsd.exe, 1424 PARENT: services.exe ** null

07-02-2017-22-05-06, ManagementAgentHost.exe, 1452 PARENT: services.exe ** null

07-02-2017-22-05-06, wlms.exe, 1484 PARENT: services.exe ** null

07-02-2017-22-05-06, TPAutoConnSvc.exe, 1736 PARENT: services.exe ** null

07-02-2017-22-05-06, dllhost.exe, 1972 PARENT: services.exe ** null

07-02-2017-22-05-06, svchost.exe, 1112 PARENT: services.exe ** null

07-02-2017-22-05-07, msdtc.exe, 1304 PARENT: services.exe ** null

07-02-2017-22-05-07, taskhost.exe, 2156 PARENT: services.exe ** null

07-02-2017-22-05-10, SearchIndexer.exe, 2604 PARENT: services.exe ** null

07-02-2017-22-05-12, svchost.exe, 2776 PARENT: services.exe ** null

07-02-2017-22-05-12, mscorsvw.exe, 860 PARENT: services.exe ** null

07-02-2017-22-05-12, mscorsvw.exe, 2736 PARENT: services.exe ** null

07-02-2017-22-05-12, svchost.exe, 804 PARENT: services.exe ** null

07-02-2017-22-05-03, lsass.exe, 508 PARENT: wininit.exe ** null

07-02-2017-22-05-03, lsm.exe, 516 PARENT: wininit.exe ** null

ProcessID 408 Spawned

07-02-2017-22-05-11, conhost.exe, 2820 PARENT: csrss.exe ** null

 ... \??\C:\Windows\system32\conhost.exe

07-02-2017-22-05-13, conhost.exe, 2040 PARENT: csrss.exe ** null

 ... \??\C:\Windows\system32\conhost.exe

07-02-2017-22-06-29, conhost.exe, 1252 PARENT: csrss.exe ** null

 ... \??\C:\Windows\system32\conhost.exe

07-02-2017-22-06-30, conhost.exe, 1832 PARENT: csrss.exe ** null

 ... \??\C:\Windows\system32\conhost.exe

07-02-2017-22-06-44, conhost.exe, 1444 PARENT: csrss.exe ** null

 ... \??\C:\Windows\system32\conhost.exe

07-02-2017-22-10-38, conhost.exe, 2376 PARENT: csrss.exe ** null

 ... \??\C:\Windows\system32\conhost.exe

07-02-2017-22-10-55, conhost.exe, 1492 PARENT: csrss.exe ** null

 ... \??\C:\Windows\system32\conhost.exe

07-02-2017-22-13-16, conhost.exe, 2088 PARENT: csrss.exe ** null

 ... \??\C:\Windows\system32\conhost.exe

07-02-2017-22-13-16, conhost.exe, 1232 PARENT: csrss.exe ** null

ProcessID 4 Spawned

07-02-2017-22-05-02, smss.exe, 264 PARENT: System ** null

ProcessID 500 Spawned

07-02-2017-22-05-03, svchost.exe, 628 PARENT: services.exe ** null

&& ProcessID 628 Spawned

07-02-2017-22-05-06, WmiPrvSE.exe, 1900 PARENT: svchost.exe ** null

07-02-2017-22-05-11, WmiPrvSE.exe, 2888 PARENT: svchost.exe ** null

07-02-2017-22-05-12, dllhost.exe, 1064 PARENT: svchost.exe ** null

07-02-2017-22-05-55, dllhost.exe, 3068 PARENT: svchost.exe ** null

07-02-2017-22-10-36, dllhost.exe, 2348 PARENT: svchost.exe ** null

07-02-2017-22-11-30, dllhost.exe, 2088 PARENT: svchost.exe ** null

07-02-2017-22-12-43, explorer.exe, 1020 PARENT: svchost.exe ** null

07-02-2017-22-12-44, dllhost.exe, 740 PARENT: svchost.exe ** null

07-02-2017-22-14-15, dllhost.exe, 2896 PARENT: svchost.exe ** null

07-02-2017-22-05-04, vmacthlp.exe, 688 PARENT: services.exe ** null

07-02-2017-22-05-04, svchost.exe, 720 PARENT: services.exe ** null

07-02-2017-22-05-04, svchost.exe, 772 PARENT: services.exe ** null

&& ProcessID 772 Spawned

07-02-2017-22-05-12, audiodg.exe, 1584 PARENT: svchost.exe ** null

07-02-2017-22-11-29, audiodg.exe, 2628 PARENT: svchost.exe ** null

07-02-2017-22-05-04, svchost.exe, 884 PARENT: services.exe ** null

&& ProcessID 884 Spawned

07-02-2017-22-05-07, dwm.exe, 2208 PARENT: svchost.exe ** null

07-02-2017-22-05-04, svchost.exe, 932 PARENT: services.exe ** null

07-02-2017-22-05-04, svchost.exe, 392 PARENT: services.exe ** null

&& ProcessID 392 Spawned