eabef49966f349f3f1eac229d2c1eb7b597e983fad06e1492bb134fbc6892292

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_0fa360268379593d3e9eacc15ee2c91a_frostygoop_ghostlocker_knight_luca-stealer_poet-rat_sliver_snatch.exe
Size

7.6MB
MD5

0fa360268379593d3e9eacc15ee2c91a
SHA1

39f01dd0329b2aa9488a1cbc4a3f1f9ddb7e5e34
SHA256

eabef49966f349f3f1eac229d2c1eb7b597e983fad06e1492bb134fbc6892292
SHA512

c24a9314ac9d2ea78e521aa294a02af31ccacb4a8f04b6c449be4e2c0dbc9e8879e65513beff7ecf2b4de317b5e8326a7913f2fa7c0478ffb8c6c943adf3e9b9
SSDEEP

98304:lNFazCM6aEsEByVLBfEn4A1hrTWplm2fVdvB2rwNeH6:l4n6a4UO4A1hQl5XBw6

Score

7^/10

discovery execution persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1116	javaplatformw.exe
3152	javaservice_platform.exe
4112	javaservicew.exe
5188	javaplugin_service.exe
5540	javaplugin_update.exe
4748	javaplatform_platform.exe
4808	javaplatformw.exe
3852	javaupdater.exe
536	javaupdater_update.exe
6088	javaplugin_platform.exe
4896	javasupport_service.exe
4976	javaservice.exe
4880	javasupport_update.exe
436	javapluginw.exe
3304	javaruntime.exe
2104	javapluginw.exe
4820	javaupdater_platform.exe
4144	javaplugin.exe
5036	javasupport.exe
5812	javaplatform.exe
3700	javaruntime_platform.exe
1168	javaupdater.exe
1640	javasupport_platform.exe
5596	javaplugin.exe
1836	javaplatform_platform.exe
2540	javaplugin_platform.exe
5224	javaplugin.exe
5936	javaruntime.exe
3752	javaplatform_platform.exe
4560	javaplatformw.exe
3516	javaupdaterw.exe
1380	javaruntime_update.exe
1644	javasupport_platform.exe
1432	javaruntime_service.exe
4476	javaplugin.exe
1940	javasupport.exe
1220	javaruntime_update.exe
1100	javaplugin.exe
1176	javaplugin_platform.exe
1160	javaupdater_service.exe
2904	javaupdater.exe
5992	javasupport_service.exe
3176	javaruntime_platform.exe
6032	javaruntime_platform.exe
3152	javasupport_update.exe
3640	javasupport.exe
448	javaplatformw.exe
4816	javapluginw.exe
5540	javaupdater_platform.exe
1184	javasupport_service.exe
4908	javaplugin_platform.exe
4676	javasupport.exe
4484	javaupdater_service.exe
4164	javaservice_service.exe
4960	javaplatform_update.exe
5068	javaplatform_platform.exe
5036	javaplatform_platform.exe
4480	javaplatform_update.exe
4268	javaruntimew.exe
1548	javaplugin_update.exe
5900	javaupdater_service.exe
2208	javaupdater_platform.exe
4448	javaplatform_service.exe
5872	javaupdater_service.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javasupport.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javasupport.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaruntime_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaruntime_service.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaupdaterw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaupdaterw.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javasupport_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javasupport_update.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplugin_platform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplugin_platform.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplatform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplatform.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaruntime_platform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaruntime_platform.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplatform_platform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplatform_platform.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplugin_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplugin_update.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaruntimew.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaruntimew.exe\""	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5080	powershell.exe
624	powershell.exe
3800	powershell.exe
5440	powershell.exe
4732	powershell.exe
4796	powershell.exe
4316	powershell.exe
3244	powershell.exe
5808	powershell.exe
3604	powershell.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies registry key 1 TTPs 11 IoCs

Modify Registry

T1112

pid	Process
5900	reg.exe
5896	reg.exe
1344	reg.exe
4128	reg.exe
5368	reg.exe
3172	reg.exe
3976	reg.exe
1460	reg.exe
5128	reg.exe
5092	reg.exe
5128	reg.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
5808	powershell.exe
5808	powershell.exe
5808	powershell.exe
624	powershell.exe
624	powershell.exe
624	powershell.exe
3244	powershell.exe
3244	powershell.exe
3244	powershell.exe
4316	powershell.exe
4316	powershell.exe
4316	powershell.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
5440	powershell.exe
5440	powershell.exe
5440	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	5808	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	5440	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5416 wrote to memory of 1116	5416	2025-03-31_0fa360268379593d3e9eacc15ee2c91a_frostygoop_ghostlocker_knight_luca-stealer_poet-rat_sliver_snatch.exe	228
PID 5416 wrote to memory of 1116	5416	2025-03-31_0fa360268379593d3e9eacc15ee2c91a_frostygoop_ghostlocker_knight_luca-stealer_poet-rat_sliver_snatch.exe	228
PID 1116 wrote to memory of 3152	1116	javaplatformw.exe	139
PID 1116 wrote to memory of 3152	1116	javaplatformw.exe	139
PID 3152 wrote to memory of 4112	3152	javaservice_platform.exe	186
PID 3152 wrote to memory of 4112	3152	javaservice_platform.exe	186
PID 4112 wrote to memory of 5188	4112	javaservicew.exe	352
PID 4112 wrote to memory of 5188	4112	javaservicew.exe	352
PID 5188 wrote to memory of 5540	5188	javaplugin_service.exe	143
PID 5188 wrote to memory of 5540	5188	javaplugin_service.exe	143
PID 5540 wrote to memory of 4748	5540	javaplugin_update.exe	94
PID 5540 wrote to memory of 4748	5540	javaplugin_update.exe	94
PID 4748 wrote to memory of 4808	4748	javaplatform_platform.exe	95
PID 4748 wrote to memory of 4808	4748	javaplatform_platform.exe	95
PID 4808 wrote to memory of 3852	4808	javaplatformw.exe	192
PID 4808 wrote to memory of 3852	4808	javaplatformw.exe	192
PID 3852 wrote to memory of 536	3852	javaupdater.exe	97
PID 3852 wrote to memory of 536	3852	javaupdater.exe	97
PID 536 wrote to memory of 6088	536	javaupdater_update.exe	98
PID 536 wrote to memory of 6088	536	javaupdater_update.exe	98
PID 6088 wrote to memory of 4896	6088	javaplugin_platform.exe	99
PID 6088 wrote to memory of 4896	6088	javaplugin_platform.exe	99
PID 4896 wrote to memory of 4976	4896	javasupport_service.exe	100
PID 4896 wrote to memory of 4976	4896	javasupport_service.exe	100
PID 4976 wrote to memory of 4880	4976	javaservice.exe	101
PID 4976 wrote to memory of 4880	4976	javaservice.exe	101
PID 4880 wrote to memory of 436	4880	javasupport_update.exe	102
PID 4880 wrote to memory of 436	4880	javasupport_update.exe	102
PID 436 wrote to memory of 3304	436	javapluginw.exe	103
PID 436 wrote to memory of 3304	436	javapluginw.exe	103
PID 3304 wrote to memory of 2104	3304	javaruntime.exe	104
PID 3304 wrote to memory of 2104	3304	javaruntime.exe	104
PID 2104 wrote to memory of 4820	2104	javapluginw.exe	105
PID 2104 wrote to memory of 4820	2104	javapluginw.exe	105
PID 4820 wrote to memory of 4144	4820	javaupdater_platform.exe	106
PID 4820 wrote to memory of 4144	4820	javaupdater_platform.exe	106
PID 4144 wrote to memory of 5036	4144	javaplugin.exe	107
PID 4144 wrote to memory of 5036	4144	javaplugin.exe	107
PID 5036 wrote to memory of 5812	5036	javasupport.exe	108
PID 5036 wrote to memory of 5812	5036	javasupport.exe	108
PID 5812 wrote to memory of 3700	5812	javaplatform.exe	109
PID 5812 wrote to memory of 3700	5812	javaplatform.exe	109
PID 3700 wrote to memory of 1168	3700	javaruntime_platform.exe	110
PID 3700 wrote to memory of 1168	3700	javaruntime_platform.exe	110
PID 1168 wrote to memory of 1640	1168	javaupdater.exe	111
PID 1168 wrote to memory of 1640	1168	javaupdater.exe	111
PID 1640 wrote to memory of 5596	1640	javasupport_platform.exe	112
PID 1640 wrote to memory of 5596	1640	javasupport_platform.exe	112
PID 5596 wrote to memory of 1836	5596	javaplugin.exe	113
PID 5596 wrote to memory of 1836	5596	javaplugin.exe	113
PID 1836 wrote to memory of 2540	1836	javaplatform_platform.exe	114
PID 1836 wrote to memory of 2540	1836	javaplatform_platform.exe	114
PID 2540 wrote to memory of 5224	2540	javaplugin_platform.exe	115
PID 2540 wrote to memory of 5224	2540	javaplugin_platform.exe	115
PID 5224 wrote to memory of 5936	5224	javaplugin.exe	116
PID 5224 wrote to memory of 5936	5224	javaplugin.exe	116
PID 5936 wrote to memory of 3752	5936	javaruntime.exe	117
PID 5936 wrote to memory of 3752	5936	javaruntime.exe	117
PID 3752 wrote to memory of 4560	3752	javaplatform_platform.exe	118
PID 3752 wrote to memory of 4560	3752	javaplatform_platform.exe	118
PID 4560 wrote to memory of 3516	4560	javaplatformw.exe	119
PID 4560 wrote to memory of 3516	4560	javaplatformw.exe	119
PID 3516 wrote to memory of 1380	3516	javaupdaterw.exe	120
PID 3516 wrote to memory of 1380	3516	javaupdaterw.exe	120

C:\Users\Admin\AppData\Local\Temp\2025-03-31_0fa360268379593d3e9eacc15ee2c91a_frostygoop_ghostlocker_knight_luca-stealer_poet-rat_sliver_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_0fa360268379593d3e9eacc15ee2c91a_frostygoop_ghostlocker_knight_luca-stealer_poet-rat_sliver_snatch.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5416
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5188
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5540
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6088
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5812
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        24⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        26⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        28⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        29⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        30⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        31⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        32⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        33⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        34⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        35⤵
        Executes dropped EXE
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        36⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        37⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        38⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        39⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        40⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        41⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        42⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        43⤵
        Executes dropped EXE
        
        PID:5992
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        44⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_platform.exe"
        45⤵
        Modifies registry key
        
        PID:5128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe\"'"
        45⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe"
1⤵
PID:3768
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
  2⤵
  - Executes dropped EXE
  PID:6032
- - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
    3⤵
    - Executes dropped EXE
    PID:3152
  - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
      4⤵
      Executes dropped EXE
      PID:3640
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        5⤵
        Executes dropped EXE
        
        PID:448
      - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        6⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        7⤵
        Executes dropped EXE
        
        PID:5540
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        8⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        9⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        10⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        11⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        12⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        13⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        14⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform_platform.exe"
        15⤵
        Modifies registry key
        
        PID:5092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe\"'"
        15⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe"
1⤵
PID:2108
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
    3⤵
    - Executes dropped EXE
    PID:4480
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      4⤵
      Executes dropped EXE
      PID:4268
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        5⤵
        Executes dropped EXE
        
        PID:1548
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        6⤵
        Executes dropped EXE
        
        PID:5900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        7⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        8⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        9⤵
        Executes dropped EXE
        
        PID:5872
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        10⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        11⤵
        
        PID:1384
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport.exe"
        12⤵
        Modifies registry key
        
        PID:1344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe\"'"
        12⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe"
1⤵
PID:4236
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3256
- C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
  2⤵
  PID:2004
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
    3⤵
    PID:2672
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      4⤵
      PID:5624
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        5⤵
        
        PID:3612
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        6⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        7⤵
        
        PID:5816
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        8⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        9⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        10⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        11⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        12⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        13⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        14⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        15⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        16⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        17⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        18⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        19⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        20⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        21⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        22⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        23⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        24⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        25⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        26⤵
        
        PID:5580
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        27⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        28⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        29⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        30⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        31⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        32⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        33⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        34⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        35⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        36⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        37⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        38⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        39⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        40⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        41⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        42⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        43⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        44⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        45⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        46⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        47⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        48⤵
        
        PID:3316
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_service.exe"
        49⤵
        Modifies registry key
        
        PID:5128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        50⤵
        
        PID:4752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe\"'"
        49⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe"
1⤵
PID:4504
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
  2⤵
  PID:4792
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
    3⤵
    PID:5992
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
      4⤵
      PID:1116
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        5⤵
        
        PID:6140
      - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        6⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        7⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        8⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        9⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        10⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        11⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        12⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        13⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        14⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        15⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        16⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        17⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        18⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        19⤵
        
        PID:5900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        20⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        21⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        22⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        23⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        24⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        25⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        26⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        27⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        28⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        29⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        30⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        31⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        32⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        33⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        34⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        35⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        36⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        37⤵
        
        PID:4752
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdaterw.exe"
        38⤵
        Modifies registry key
        
        PID:1460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdaterw.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe\"'"
        38⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe"
1⤵
PID:4816
- C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
    3⤵
    PID:2356
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      4⤵
      PID:5480
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        5⤵
        
        PID:4800
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        6⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        7⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        8⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        9⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        10⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        11⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        12⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        13⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        14⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        15⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        16⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        17⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        18⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        19⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        20⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        21⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        22⤵
        
        PID:5872
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport_update.exe"
        23⤵
        Modifies registry key
        
        PID:3976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe\"'"
        23⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe"
1⤵
PID:1492
- C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
  2⤵
  PID:3372
- - C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
    3⤵
    PID:5440
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      4⤵
      PID:4120
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        5⤵
        
        PID:2208
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        6⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        7⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        8⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        9⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        10⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        11⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        12⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        13⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        14⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        15⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        16⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        17⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        18⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        19⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        20⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        21⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        22⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        23⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        24⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        25⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        26⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        27⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        28⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        29⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        30⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        31⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        32⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        33⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        34⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        35⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        36⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        37⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        38⤵
        
        PID:4256
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_platform.exe"
        39⤵
        Modifies registry key
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:4948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe\"'"
        39⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe"
1⤵
PID:4928
- C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
  2⤵
  PID:1344
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
    3⤵
    PID:3508
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
      4⤵
      PID:2156
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        5⤵
        
        PID:4568
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        6⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        7⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        8⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        9⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        10⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        11⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        12⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        13⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        14⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        15⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        16⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        17⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        18⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        19⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        20⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        21⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        22⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        23⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        24⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        25⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        26⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        27⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        28⤵
        
        PID:3788
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_update.exe"
        29⤵
        Modifies registry key
        
        PID:5368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe\"'"
        29⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe"
1⤵
PID:4480
- C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
  2⤵
  PID:3492
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
    3⤵
    PID:4300
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
      4⤵
      PID:5224
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        5⤵
        
        PID:5056
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        6⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        7⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        8⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        9⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        10⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        11⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        12⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        13⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        14⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        15⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        16⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        17⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        18⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        19⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        20⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        21⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        22⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        23⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        24⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        25⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        26⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        27⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        28⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        29⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        30⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        31⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        32⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        33⤵
        
        PID:5232
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        34⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        35⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        36⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        37⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        38⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        39⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        40⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        41⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        42⤵
        
        PID:5588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        43⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        44⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        45⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        46⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        47⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        48⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        49⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        50⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        51⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        52⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        53⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        54⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        55⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        56⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        57⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        58⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        59⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        60⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        61⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        62⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        63⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        64⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        65⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        66⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        67⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        68⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        69⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        70⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        71⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        72⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        73⤵
        
        PID:5480
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        74⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        75⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        76⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        77⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        78⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        79⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        80⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        81⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        82⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        83⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        84⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        85⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        86⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        87⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        88⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        89⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        90⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        91⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        92⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        93⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        94⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        95⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        96⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        97⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        98⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        99⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        100⤵
        
        PID:2936
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform.exe"
        101⤵
        Modifies registry key
        
        PID:5896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe\"'"
        101⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe"
1⤵
PID:4788
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
  2⤵
  PID:5324
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
    3⤵
    PID:1660
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      4⤵
      PID:1152
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        5⤵
        
        PID:2664
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        6⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        7⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        8⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        9⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        10⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        11⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        12⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        13⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        14⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        15⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        16⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        17⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        18⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        19⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        20⤵
        
        PID:428
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntimew.exe"
        21⤵
        Modifies registry key
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntimew.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe\"'"
        21⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe"
1⤵
PID:4588
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
  2⤵
  PID:3800
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
    3⤵
    PID:2904
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
      4⤵
      PID:4060
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        5⤵
        
        PID:6080
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        6⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        7⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        8⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        9⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        10⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        11⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        12⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        13⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        14⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        15⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        16⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        17⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        18⤵
        
        PID:4804
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_platform.exe"
        19⤵
        Modifies registry key
        
        PID:5900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:6044

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 54c0c569777ec265947930757979c076 a+Te8kg8D0qkb0oO5xjCvA.0.1.0.0.0
1⤵
PID:4380
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:744

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ros0e2pj.cdv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
347B

MD5
38fb02e53188b1fc859beb5e3905d1d3

SHA1
747a1adff9a26fdba6217ec3debcd474cb08d770

SHA256
853fc9562b063da878a69015353263f98383f16be5cf9e79a60453f9976aeb66

SHA512
e5dd8b7a30afd17c9f8b4935d1b3e0c27e7d8dc389d8e71e530faf549f518ff2f060d6a8f788ce20e57ecc491b2c7fac084945b8be7a198a8fb4058496675728

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
697B

MD5
d49f81e561e855c9ef28c036a35f8c4e

SHA1
b90eedee6fdcd89e4b5cb82b67bd9dc3a1df21fd

SHA256
1dfd2a1f8dc682973388189b40220926887b2586c5aed5910820d2c8caf663a3

SHA512
13011fa52bf74cb19d53d538e7235af574407ec1b3e849d0214bf07f9db86617d940021e4d08d6765f27910eb34a211171851cddf5f76fef000e22065e97c846

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
7KB

MD5
f1892bf10ce3672a631c3fcef9372c55

SHA1
777a3c3985f0ab5fc12d44c5cd078d52c654c899

SHA256
5ec834ac8739ae9b1d1ad4ad8b735264f0d13f9a071204c2258c8954f6f50ba7

SHA512
b73d10afa8980bb0b9dda4b41b2720a0fd3e1666dff9b2093fb24774ff0fc4b5a6595d0925db885b8521ae4e3d5be84ab9e2c0d60a3b6bbff992787b3b64adb6

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
1KB

MD5
aacbc58e30073990fbc98e15b6474cd1

SHA1
8b177be6f01952312d88fc983ad9d96b1488a19f

SHA256
9e23bce4779e64b3cc9776776912d86fd8f570f8aad7e30d0558cf538bf02688

SHA512
b255607566f01d6966f75d89a0ef7a0829750b927c6182836150e9be4900eb8a5a4e762b7aba1f35cc749a0b03754c9d5c1bd228f05ba76b805fd63bfa3bce6e

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
1KB

MD5
8cd006f5da5ba4da960edc58d614ca47

SHA1
45f2dd72e30157ef34f8ab65a5df85a2cfebad98

SHA256
46f32ce43becb3fb25828ac5a50e45fcad1ababcbd47db4468acd86f3d8a58bf

SHA512
39e95ca4f4e50a3a5c8fd002bf1bdc3a4bd07e47ce2d74222e634084587c5976db66d03eaab63b45aa9160a74f4516b3d5a777b680f0da65f95aefb835182cf8

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
1KB

MD5
a30733fbe01ee5a6ebcb49028cc548bd

SHA1
f9800917f1b0b1606c7eae00be56e59fad0db873

SHA256
ddf336047db13072cebcc2a200489be9afba43e15063784a8e8ca749c2279234

SHA512
aeee075f796f9b9c036864cae8b49be84d6722f883d5a8825b94ad5ab1ab2a0c9c9dd648a1cc3053beeb61e80c158fdd2d304826d7b4ad3b6e4d6af25b6214bb

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
1KB

MD5
840e7ae13daf36fc84e86221844568b6

SHA1
37dfb98e140d00ec42f8e7e9bdcaf55d6ee6b08c

SHA256
3cc76dd1025cf6fd808dad984bad902b9ac0f8c568fd2678ad3c687be2d8acae

SHA512
74a2aa3862c1bc4039cb3fdbbb15aa7100d3eb85154753df7ba5ab83932264ea39a45cbf02137999e296d417396095f0f67bde048c77f756c305446e3b5c53b3

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
1KB

MD5
2af479ce37bd5c4cfd0c04c074edaf36

SHA1
39424f6678edc6064982d539f2fc2ec6084a8252

SHA256
52a452f914d166dab99f948706dc448d0b3345f36bf580d19b194e49bf706db1

SHA512
f0c01fc6d59e269982d6be362b67719b981de1a2939f0e9c2dff8fbe99dae911f2c7a690653b0af43e00de8b6affe13622cdc17986e34fc708ad42b9848ab497

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
2KB

MD5
024b54263ac9d977f4a0299ec7f87d5e

SHA1
38ebbe57a1a92d52d7dec9dc718317f1a575e215

SHA256
2a426c9c540de155e5d376356dfcb040cf6e12cd669fb9a2a3619ad41e855740

SHA512
bc3e22e9d7b5e1d5a42193331daffc8ccf442928d82ea9438092a9fcc2eec5cee97ec456ead313b694a30973135035ee7929b0df2a889c2c465cce7938bf1514

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
2KB

MD5
29cfb2cf5b0cdf2b39e07b9a104e6a1e

SHA1
5ca5cd3b06abbe26b42b45ff2f70e7faa5ed4f6c

SHA256
0983cbedbd1b3918a6f562e1b62710e64d928daaba763f4d9711d8db20f5bb0a

SHA512
f0276fb6844d163fa21d5f6b1c52cb98d82f35e67154cec17ce06e731daf31d9f4ca50492f75781edf4d25bf6f8d6e81044719a9b66c7d3ff78d0bc2512da275

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
2KB

MD5
c36dec89fbbf5887c1d599612b2de000

SHA1
fa3d95c054d0fe120b9903218803778bd7c51924

SHA256
bd89271a5d90282808fb9603834a445003446fcb504318a0ae4290194db71979

SHA512
6879b15bb462167f04d424c10fdb651aa5b18247673e947ca812f3c853d352a7deeb952a05ac3c9c5240244aa826e3b9849afa8d72962f1aeabe05a76d813c3f

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
2KB

MD5
da66e44785638aa5649108cd2be9d1bc

SHA1
0c8ab156038543aad7bfb2012b55f6d78e2ed0b4

SHA256
9847c35f21926310c62b65e569eb2f18430ef7f9353612b1613313fe794b2712

SHA512
7608037c09e772b38e558194f8220bca84c4fa713e9e7a8823d15d0f7356d6803bb0f1b7b100c592711300eec99358b3d354bafa29c2a1417da0546468e8ea12

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
3KB

MD5
74936ba91d2a75fe4a1949aa28ef38e0

SHA1
5fda334a0ae462aca71f7a79e70b51e9a3700c3c

SHA256
17398a0deb4547c32abf4bf38cde657125460b992c402e420947916f78575bf8

SHA512
6bbe5b6f2d801a7943535486627a2120cba05edcd006d0231a27ffdeb025599019270f5c505c9dcaf75c7e2ce32131d46c43001295723cbb0c249dc080007861

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
3KB

MD5
778a662bf8079ee1df137a2000c124cd

SHA1
a267bcfc1545fd2edbc5fcad1f45b5dc5a62ee95

SHA256
668de5db2e8b123f84f93ac6f2975389c4171d87c8bcf243f3a10684a649e9ff

SHA512
a92c71b1738d5d87320b57d06bc622d2cc277a207c87cd14ac9faf79074c5a94c5d361383dca4fd1cbd69d2a5e02f768fc73d8b898eb2640535d9d4e4affbc7a

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe

Filesize
7.6MB

MD5
0fa360268379593d3e9eacc15ee2c91a

SHA1
39f01dd0329b2aa9488a1cbc4a3f1f9ddb7e5e34

SHA256
eabef49966f349f3f1eac229d2c1eb7b597e983fad06e1492bb134fbc6892292

SHA512
c24a9314ac9d2ea78e521aa294a02af31ccacb4a8f04b6c449be4e2c0dbc9e8879e65513beff7ecf2b4de317b5e8326a7913f2fa7c0478ffb8c6c943adf3e9b9

Download Submit
memory/448-209-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/536-48-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1100-181-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1116-9-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1160-185-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1168-115-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1176-184-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1184-216-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1220-178-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1380-163-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1432-167-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1548-260-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1640-117-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1644-166-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1836-127-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/1940-175-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/2004-292-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/2028-273-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/2104-85-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/2208-266-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/2540-135-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/2672-295-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/2904-190-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/3152-14-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/3152-203-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/3304-80-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/3516-160-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/3640-204-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/3700-110-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/3752-147-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/3852-47-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4112-19-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4144-95-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4164-230-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4268-255-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4448-267-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4476-172-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4480-254-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4484-227-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4560-155-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4676-222-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4748-34-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4808-38-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4816-210-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4820-90-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4880-71-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4908-221-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4960-231-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/4976-66-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5036-100-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5036-251-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5188-24-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5224-137-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5540-215-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5540-29-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5596-125-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5624-298-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5808-242-0x0000025457A30000-0x0000025457A52000-memory.dmp

Filesize
136KB

Download
memory/5812-105-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5872-272-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5900-261-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5936-145-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/5992-192-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/6032-200-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download
memory/6088-57-0x0000000000E00000-0x00000000015E7000-memory.dmp

Filesize
7.9MB

Download