cerber | f9ca19c8fa421287522b0606e25a97b0e6f9a6737d0021813da685a36d3151de

Analysis

max time kernel
134s
max time network
139s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-07-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Badware Unban.zip
Size

32.7MB
MD5

1042c5c00030fdf20bc00f3912970ec3
SHA1

e383bd53a4736d05bd7aa2954c94294e9a36410f
SHA256

f9ca19c8fa421287522b0606e25a97b0e6f9a6737d0021813da685a36d3151de
SHA512

99a140cfc7fa2d84f437ba943a2e3fa936d42232eeb2984f28a6c1bdff2587b733367ec85b496064cbfcb8d84c37c81191ddd936356e629660d1fccb0eb01312
SSDEEP

786432:Cvn5q4e/trW377C0tsXkF9V8/KYwdGmKeBxaW2kdK7SUqXyBINW0:CvngVEIkHoKLdGmKeskA7SUqCQW0

Score

10^/10

cerber discovery ransomware

Malware Config

Signatures

Cerber 64 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
		168	taskkill.exe
		4488	taskkill.exe
		1724	taskkill.exe
		4100	taskkill.exe
		3024	taskkill.exe
		4712	taskkill.exe
		3948	taskkill.exe
		368	taskkill.exe
		4056	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3708	taskkill.exe
		1372	taskkill.exe
		4864	taskkill.exe
		360	taskkill.exe
		2296	taskkill.exe
		4576	taskkill.exe
		4720	taskkill.exe
		1528	taskkill.exe
		5068	taskkill.exe
		5056	taskkill.exe
		524	taskkill.exe
		3880	taskkill.exe
		5104	taskkill.exe
		4420	taskkill.exe
		3892	taskkill.exe
		4068	taskkill.exe
		4872	taskkill.exe
		3872	taskkill.exe
		4868	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		3540	taskkill.exe
		368	taskkill.exe
		2232	taskkill.exe
		3480	taskkill.exe
		4576	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		AMIDEWINx64.EXE
		4072	taskkill.exe
		2656	taskkill.exe
		3700	taskkill.exe
		3808	taskkill.exe
		3680	taskkill.exe
		2268	taskkill.exe
		2156	taskkill.exe
		1308	taskkill.exe
		3352	taskkill.exe
		3320	taskkill.exe
		1660	taskkill.exe
		2288	taskkill.exe
		4208	taskkill.exe
		4444	taskkill.exe
		2044	taskkill.exe
		2416	taskkill.exe
		4336	taskkill.exe
		1600	taskkill.exe
		316	taskkill.exe
		4064	taskkill.exe
		5076	taskkill.exe
		4692	taskkill.exe
		864	taskkill.exe
		200	taskkill.exe
		4612	taskkill.exe
		4864	taskkill.exe
		3476	taskkill.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
4536	AMIDEWINx64.EXE
2232	AMIDEWINx64.EXE
1528	AMIDEWINx64.EXE
4800	AMIDEWINx64.EXE
4496	AMIDEWINx64.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com
24	discord.com
25	discord.com
36	discord.com
20	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
660	BadwareFreePermaUnban.exe
660	BadwareFreePermaUnban.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\IME\amigendrv64.sys	BadwareFreePermaUnban.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\IME\AMIDEWINx64.EXE	BadwareFreePermaUnban.exe
File created	C:\Windows\IME\amifldrv64.sys	BadwareFreePermaUnban.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1752	cmd.exe
3996	cmd.exe
208	cmd.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
3984	taskkill.exe
3872	taskkill.exe
3540	taskkill.exe
2296	taskkill.exe
864	taskkill.exe
4444	taskkill.exe
524	taskkill.exe
2288	taskkill.exe
1372	taskkill.exe
2268	taskkill.exe
2044	taskkill.exe
4208	taskkill.exe
2232	taskkill.exe
4336	taskkill.exe
3024	taskkill.exe
2656	taskkill.exe
1308	taskkill.exe
5104	taskkill.exe
4072	taskkill.exe
4740	taskkill.exe
3708	taskkill.exe
3808	taskkill.exe
168	taskkill.exe
5076	taskkill.exe
368	taskkill.exe
3320	taskkill.exe
4864	taskkill.exe
1528	taskkill.exe
4576	taskkill.exe
4952	taskkill.exe
360	taskkill.exe
3352	taskkill.exe
4692	taskkill.exe
316	taskkill.exe
3680	taskkill.exe
4488	taskkill.exe
4576	taskkill.exe
3476	taskkill.exe
4864	taskkill.exe
4720	taskkill.exe
2544	taskkill.exe
4612	taskkill.exe
5056	taskkill.exe
4100	taskkill.exe
3700	taskkill.exe
3480	taskkill.exe
4712	taskkill.exe
1724	taskkill.exe
3892	taskkill.exe
4056	taskkill.exe
5068	taskkill.exe
3880	taskkill.exe
4872	taskkill.exe
368	taskkill.exe
1600	taskkill.exe
2416	taskkill.exe
4068	taskkill.exe
5064	taskkill.exe
200	taskkill.exe
2156	taskkill.exe
3948	taskkill.exe
4420	taskkill.exe
4064	taskkill.exe
4868	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a5060050e2ddda01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\discord.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discord.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discord.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomai = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomai = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discord.com\NumberOfSubdo = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\discord.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c2fcd850e2ddda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{60E74F8B-6E86-448E-9D02-C53D614D3A88} = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
660	BadwareFreePermaUnban.exe
660	BadwareFreePermaUnban.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
604	Process not Found
604	Process not Found
604	Process not Found
604	Process not Found
604	Process not Found

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2460	MicrosoftEdgeCP.exe
2460	MicrosoftEdgeCP.exe
2460	MicrosoftEdgeCP.exe
2460	MicrosoftEdgeCP.exe
3352	MicrosoftEdgeCP.exe
3352	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	3352	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	4740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4740	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4348	MicrosoftEdge.exe
Token: SeDebugPrivilege	4348	MicrosoftEdge.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	168	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	200	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	4720	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
660	BadwareFreePermaUnban.exe
4348	MicrosoftEdge.exe
2460	MicrosoftEdgeCP.exe
4740	MicrosoftEdgeCP.exe
2460	MicrosoftEdgeCP.exe
2700	MicrosoftEdge.exe
3352	MicrosoftEdgeCP.exe
3352	MicrosoftEdgeCP.exe
4536	AMIDEWINx64.EXE
2232	AMIDEWINx64.EXE
1528	AMIDEWINx64.EXE
4800	AMIDEWINx64.EXE
4496	AMIDEWINx64.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 4952	660	BadwareFreePermaUnban.exe	81
PID 660 wrote to memory of 4952	660	BadwareFreePermaUnban.exe	81
PID 660 wrote to memory of 5052	660	BadwareFreePermaUnban.exe	82
PID 660 wrote to memory of 5052	660	BadwareFreePermaUnban.exe	82
PID 660 wrote to memory of 4696	660	BadwareFreePermaUnban.exe	83
PID 660 wrote to memory of 4696	660	BadwareFreePermaUnban.exe	83
PID 660 wrote to memory of 4384	660	BadwareFreePermaUnban.exe	84
PID 660 wrote to memory of 4384	660	BadwareFreePermaUnban.exe	84
PID 4384 wrote to memory of 4864	4384	cmd.exe	85
PID 4384 wrote to memory of 4864	4384	cmd.exe	85
PID 660 wrote to memory of 2912	660	BadwareFreePermaUnban.exe	87
PID 660 wrote to memory of 2912	660	BadwareFreePermaUnban.exe	87
PID 2912 wrote to memory of 3352	2912	cmd.exe	88
PID 2912 wrote to memory of 3352	2912	cmd.exe	88
PID 660 wrote to memory of 1700	660	BadwareFreePermaUnban.exe	89
PID 660 wrote to memory of 1700	660	BadwareFreePermaUnban.exe	89
PID 1700 wrote to memory of 2416	1700	cmd.exe	90
PID 1700 wrote to memory of 2416	1700	cmd.exe	90
PID 660 wrote to memory of 2896	660	BadwareFreePermaUnban.exe	91
PID 660 wrote to memory of 2896	660	BadwareFreePermaUnban.exe	91
PID 2896 wrote to memory of 4692	2896	cmd.exe	92
PID 2896 wrote to memory of 4692	2896	cmd.exe	92
PID 660 wrote to memory of 3024	660	BadwareFreePermaUnban.exe	93
PID 660 wrote to memory of 3024	660	BadwareFreePermaUnban.exe	93
PID 3024 wrote to memory of 3700	3024	cmd.exe	94
PID 3024 wrote to memory of 3700	3024	cmd.exe	94
PID 660 wrote to memory of 2996	660	BadwareFreePermaUnban.exe	95
PID 660 wrote to memory of 2996	660	BadwareFreePermaUnban.exe	95
PID 2996 wrote to memory of 3480	2996	cmd.exe	96
PID 2996 wrote to memory of 3480	2996	cmd.exe	96
PID 660 wrote to memory of 4296	660	BadwareFreePermaUnban.exe	97
PID 660 wrote to memory of 4296	660	BadwareFreePermaUnban.exe	97
PID 4296 wrote to memory of 2296	4296	cmd.exe	98
PID 4296 wrote to memory of 2296	4296	cmd.exe	98
PID 660 wrote to memory of 2784	660	BadwareFreePermaUnban.exe	99
PID 660 wrote to memory of 2784	660	BadwareFreePermaUnban.exe	99
PID 2784 wrote to memory of 2156	2784	cmd.exe	100
PID 2784 wrote to memory of 2156	2784	cmd.exe	100
PID 660 wrote to memory of 3732	660	BadwareFreePermaUnban.exe	101
PID 660 wrote to memory of 3732	660	BadwareFreePermaUnban.exe	101
PID 3732 wrote to memory of 3948	3732	cmd.exe	102
PID 3732 wrote to memory of 3948	3732	cmd.exe	102
PID 660 wrote to memory of 4064	660	BadwareFreePermaUnban.exe	103
PID 660 wrote to memory of 4064	660	BadwareFreePermaUnban.exe	103
PID 4064 wrote to memory of 2232	4064	cmd.exe	104
PID 4064 wrote to memory of 2232	4064	cmd.exe	104
PID 660 wrote to memory of 3076	660	BadwareFreePermaUnban.exe	105
PID 660 wrote to memory of 3076	660	BadwareFreePermaUnban.exe	105
PID 3076 wrote to memory of 1372	3076	cmd.exe	106
PID 3076 wrote to memory of 1372	3076	cmd.exe	106
PID 660 wrote to memory of 1684	660	BadwareFreePermaUnban.exe	107
PID 660 wrote to memory of 1684	660	BadwareFreePermaUnban.exe	107
PID 1684 wrote to memory of 2268	1684	cmd.exe	108
PID 1684 wrote to memory of 2268	1684	cmd.exe	108
PID 660 wrote to memory of 4988	660	BadwareFreePermaUnban.exe	109
PID 660 wrote to memory of 4988	660	BadwareFreePermaUnban.exe	109
PID 4988 wrote to memory of 4488	4988	cmd.exe	110
PID 4988 wrote to memory of 4488	4988	cmd.exe	110
PID 660 wrote to memory of 3988	660	BadwareFreePermaUnban.exe	111
PID 660 wrote to memory of 3988	660	BadwareFreePermaUnban.exe	111
PID 3988 wrote to memory of 3708	3988	cmd.exe	112
PID 3988 wrote to memory of 3708	3988	cmd.exe	112
PID 660 wrote to memory of 168	660	BadwareFreePermaUnban.exe	113
PID 660 wrote to memory of 168	660	BadwareFreePermaUnban.exe	113

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Badware Unban.zip"
1⤵
PID:816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3668

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Badware Unban\Badware Unban\PermaUnbanKey.txt
1⤵
PID:3908

C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe
"C:\Users\Admin\Documents\Badware Unban\Badware Unban\BadwareFreePermaUnban.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 06
  2⤵
  PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumperClient.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im ProcessHacker.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im ProcessHacker.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im idaq64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im idaq64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Wireshark.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Wireshark.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Fiddler.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Fiddler.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiddlerEverywhere.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiddlerEverywhere.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos64.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Xenos32.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Xenos32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im de4dot.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im de4dot.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Cheat Engine.exe >nul 2>&1
  2⤵
  PID:168
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Cheat Engine.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:4636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:2244
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe >nul 2>&1
  2⤵
  PID:708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-x86_64-SSE4-AVX2.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im MugenJinFuu-i386.exe >nul 2>&1
  2⤵
  PID:696
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MugenJinFuu-i386.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-x86_64.exe >nul 2>&1
  2⤵
  PID:3080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-x86_64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im cheatengine-i386.exe >nul 2>&1
  2⤵
  PID:4052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cheatengine-i386.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTP Debugger Windows Service (32 bit).exe >nul 2>&1
  2⤵
  PID:2320
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTP Debugger Windows Service (32 bit).exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im KsDumper.exe >nul 2>&1
  2⤵
  PID:2316
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im KsDumper.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:1564
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x64dbg.exe >nul 2>&1
  2⤵
  PID:3316
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x64dbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im x32dbg.exe >nul 2>&1
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im x32dbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1984
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:3952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  PID:2812
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  PID:3348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  PID:4872
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
  2⤵
  PID:3908
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Dbg32.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:512
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4912
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4400
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/badware
  2⤵
  - Checks computer location settings
  PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mode con: cols=69 lines=18
  2⤵
  PID:864
- - C:\Windows\system32\mode.com
    mode con: cols=69 lines=18
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/badware
  2⤵
  - Checks computer location settings
  PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe >nul 2>&1
  2⤵
  PID:2296
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe >nul 2>&1
  2⤵
  PID:980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im epicgameslauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steamservice.exe >nul 2>&1
  2⤵
  PID:2276
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steamservice.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im steam.exe >nul 2>&1
  2⤵
  PID:2460
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im steam.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1752
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping_BE.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe >nul 2>&1
  2⤵
  PID:3592
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteLauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im UnrealCEFSubProcess.exe >nul 2>&1
  2⤵
  PID:1724
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im UnrealCEFSubProcess.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im CEFProcess.exe >nul 2>&1
  2⤵
  PID:2616
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CEFProcess.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe >nul 2>&1
  2⤵
  PID:2488
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe >nul 2>&1
  2⤵
  PID:4588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe >nul 2>&1
  2⤵
  PID:944
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEServices.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe >nul 2>&1
  2⤵
  PID:2044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BattleEye.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im smartscreen.exe >nul 2>&1
  2⤵
  PID:4288
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im smartscreen.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im dnf.exe >nul 2>&1
  2⤵
  PID:4456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im dnf.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im DNF.exe >nul 2>&1
  2⤵
  PID:3076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im DNF.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im CrossProxy.exe >nul 2>&1
  2⤵
  PID:1084
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im CrossProxy.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im BackgroundDownloader.exe >nul 2>&1
  2⤵
  PID:2312
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BackgroundDownloader.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im TXPlatform.exe >nul 2>&1
  2⤵
  PID:1588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im TXPlatform.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginWebHelperService.exe >nul 2>&1
  2⤵
  PID:2244
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginWebHelperService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Origin.exe >nul 2>&1
  2⤵
  PID:3608
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Origin.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginClientService.exe >nul 2>&1
  2⤵
  PID:1876
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginClientService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginER.exe >nul 2>&1
  2⤵
  PID:4052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginER.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginThinSetupInternal.exe >nul 2>&1
  2⤵
  PID:3384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginThinSetupInternal.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im OriginLegacyCLI.exe >nul 2>&1
  2⤵
  PID:3520
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im OriginLegacyCLI.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Agent.exe >nul 2>&1
  2⤵
  PID:3964
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Agent.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM.exe >nul 2>&1
  2⤵
  PID:4020
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM_ROSLauncher.exe >nul 2>&1
  2⤵
  PID:4644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM_ROSLauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FiveM_ROSService.exe >nul 2>&1
  2⤵
  PID:752
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FiveM_ROSService.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /SS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:2876
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /SS 219014704-1010819758-3040911093
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /BS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:2528
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /BS 219014704-1010819758-3040911093
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /CS %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:216
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /CS 219014704-1010819758-3040911093
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /PSN %random%%random%-%random%%random%-%random%%random%
  2⤵
  PID:4348
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /PSN 219014704-1010819758-3040911093
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\IME\AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:2076
- - C:\Windows\IME\AMIDEWINx64.EXE
    C:\Windows\IME\AMIDEWINx64.EXE /SU AUTO
    3⤵
    - Cerber
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe C: 1098-5711
  2⤵
  PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe D: 1530-1506
  2⤵
  PID:3692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe E: 9358-9053
  2⤵
  PID:648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\INF\volid.exe F: 2645-3683
  2⤵
  PID:984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /r
  2⤵
  PID:212
- - C:\Windows\system32\shutdown.exe
    shutdown /r
    3⤵
    PID:4696

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YWCI917P\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
742ec2b92a512e0fb8a416c81ec715de

SHA1
2e331cd7063b583f3f1449cf734841cb5b1cff94

SHA256
85adba7cbdfc07164a96d2f1e7b233da6dee7bc1ab621f59a1218ff75f3c53cb

SHA512
3832f8f4927289ab79668c5f8d939075d04c513f965ddfd0fe58953fb55b984596d97da63d09d4cdee9ffb4d773cf081d97b548c86dfb207bd1311f260f6ca0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF8E926A7394A6CF95.TMP

Filesize
16KB

MD5
2f74e6528aa126fa0ba1301f34cad2f5

SHA1
11051a2ed65ddb414981c6455a191e9c038a1265

SHA256
c4524440f2d64a01ee50b2edf81282fcaa75e2043bf0e75ab7c8acd58880b440

SHA512
cce6bf1165838de5d515ff7f63e5a7420b589882b86a850d3db74528fae63cd9b6bef4547ea2cda309f482b7457fc057203f0cc05483d3351ef0b17244cedce6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HPAPK8O7\badware[1].htm

Filesize
10KB

MD5
5d0cdf076380e32997d393ffafbcf15d

SHA1
1c32ffd32cffbff0dbb0f822dd3d61f01594f96a

SHA256
2b493b0cade58cc95181ce03801f89d1a73728e31d3e86448ecad0a28b72dbfd

SHA512
fd3ad3b9266f457eda271fadb9b53563c9a517303130ac585fb79b01974e7af0ad59c74b4e16257a8925275825a4aeb29a9ed34c9e3737cae09ddc136acce690

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TEB8C3M0\69646.e343da659998798a3c32[1].css

Filesize
995KB

MD5
6fcaa169ec2157ddb48dfb1b28c7a091

SHA1
46df2be34ef4857fd698659828e6790f0d35499f

SHA256
2a2cc411e46ae60d90268d35881413c63ec33b513eecc24e6a0ab164e128cc3f

SHA512
73557657b6e12ae32becb8419e1dd8ca7fa1b5e108cd2015e1155b95dc771b74be472d8f5157cfc5097a9c4db5bddff35fcb1ef3a96bba489c15c33e787c2eb8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TEB8C3M0\sentry.81211d7be592cb765013[1].js

Filesize
874KB

MD5
d3917845ce57fa0d2794158cd2cba9fd

SHA1
aabaf69aad8c3bcf602057c6a48b4b80a2d88924

SHA256
46d2247fdfb458e1d98d797ff4da25ceab2a45753dae660db948e502ba7c8eb5

SHA512
49c6e5843a97d1e21f8d06eaadc2b727fdc45948dcf4ce84ee92f5a472323216edd680f244505bb2e4a28bc6dc7b293e2b3581330e25659abd692624f5c71996

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TEB8C3M0\webMinimal.67bd8e42ef1b431e9c46[1].js

Filesize
13.4MB

MD5
b688cf349ec1d92ed1122b360f73b36b

SHA1
99d488d6a9c74ed5fc78199c14d8523dde2c4603

SHA256
50b88032e2e1eab80ebb50f5c871a3aeecff26c585e65b0c671d7751bc0027cc

SHA512
13b77de60a1ea4662ea848be2d274e85763ecba22402813e57f2fc00f097268249366d832faf01070c4758d65225ad63704b8a953619fdfc61332c934f570473

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\0fb198ed8281d10bac11[1].woff2

Filesize
44KB

MD5
a6f145c7d25de52895579fad8b45265b

SHA1
d66c7d9b68a2a9a06beb009ef51081f6b2e3ebe6

SHA256
f7e3571c1b8df4df3279a577718e545289a89501fcd0073bebbee8df7e8a06c7

SHA512
d56f8509a083079fe3953a44997a115a008b0e088412d966a766ed621c76c6f69d92cb4650d8630b4eefc8b0935efd616a2dc5dc68148a4fe297a342b10b85dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\1222195a37d6dd10994e[1].woff2

Filesize
38KB

MD5
71d3e9dc2bcb8e91225ba9fab588c8f2

SHA1
d7e38ee4c245f64b78eb18e6ecd7b9f53b3254a8

SHA256
ae99aaede2f373187a4fe442a2cb0ab9c2945efbab01cf33e01be517c0c4f813

SHA512
deda05ebd575d413aa2277876991ecc2ea238907390753485ba1b487ede2f432363c46daad5f3f240eaaf8d3258150829a3ae3d2d9c420ea59567cfd440361a6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\1622f3625fb3a6eac2f2[1].woff2

Filesize
140KB

MD5
a2a248f78d12dd5b842930bda7036302

SHA1
6b5b9780ec7b1a10318e31c80607275577e513df

SHA256
811563f8ea187c8ca0a57007713fe8d21701acdbd6226083713da4b49a7495f2

SHA512
2c138b4a69583c1e3e14455271783e10e3d13c2f8eb78a4a06ce9a7a270893c37be7d70a4a192a06f3c1d9a858516d05f18f778a0a1cb4e4bafea30e5656e0ac

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\452d7be36bf4b23241bd[1].woff2

Filesize
136KB

MD5
db985aaa3c64f10506d96d876e350d47

SHA1
aad4a93575e59643fed7617e2feb893dd763d801

SHA256
234feb9a8a2c759d00a4959506a3b9cb94c772186a2d117aed973347c7ef1891

SHA512
300d0d35ebb9e27d66489ffb3e5502a4dcd3af032fb0f672d4f004e3846fb795772b6938c99dafed6fad0c25da8412d6f6a7b0221eb2540e84527703db5b7073

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\475016f7a9e3e75b3670[1].woff2

Filesize
185KB

MD5
d6db7b5639c7ed70f8b582984dda6c62

SHA1
bfc61b049ffacbfeee9060db12fddb11784a877b

SHA256
3cb7a73b454fdc7290f8188282def2e97a24ceef1312295730a5bff2ef9e96c6

SHA512
85714e0793c935d7a3cd8706fd12f92a42e9670842fff87cf9d82c491894d920b76fc5e595bafb6e50426e458421c103a08b23c219b5f3674afe92ea4570e3f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\48a594e29497835802fe[1].woff2

Filesize
175KB

MD5
7cf1be7696bf689b97230262eade8ad8

SHA1
8eb128f9e3cf364c2fd380eefaa6397f245a1c82

SHA256
a981989aee5d4479ffadf550d9ecff24a4ac829483e3e55c07da3491f84b12ba

SHA512
7d7c7dc08001079d93ef447122dee49abd2b7a84d1619a055ff3e7ec0009261ab6add018560bfd82ed22b29c1915bfd059f02cd83fed2e15e9af05a5d0654e06

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\6daadfe6e5f14c9213b7[1].woff2

Filesize
177KB

MD5
980082c4328266be3342a03dcb37c432

SHA1
4179f54fd61655067a20a2b37224fde3d8e5024e

SHA256
1b03dae61d613604b3d41d61cc4bc2e05f19bd27c7ff2638242f9036f2b8794e

SHA512
4495e9336ecb6c1757d856e7db9233aeea5faac126b8e876ab1f98dd2b4dfa390a7f6667691cfa0a9137f1960eccd8b5db0b4bd47e9bd8f552eda67e5de4b16a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\6df261c61450af10af2f[1].woff2

Filesize
39KB

MD5
f5aba5511523dcae97748a1b35bbffe8

SHA1
cc89cd152b4e036ccc2ff1b80d17fe4fe7e678cc

SHA256
80ea5f1aabbe41c65a0352b56d2be8c409d44b8ab475a14997b7d9986de0029b

SHA512
6fa08d14177558a5af176a4698fcdad42111b1d83423ca200257a71eaaebcc38a9ec777dcca7c7612d11c40c51bf6f5df0ec28c2c63c187b13fb4fd4247e87b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\8234e0a75aa9afb205bd[1].woff2

Filesize
42KB

MD5
281bba49537cf936d1a0df10fb719f63

SHA1
4085ad185c5902afd273e3e92296a4de3dc19edd

SHA256
b78fb569265b01789e7edd88cfe02ecb2c3fee5e1999678255f9b78a3b2cc4e8

SHA512
af988371db77831f76edf95a50b9ddf1e957f0230404c8307914f11211e01cc95c61e0768d55aa4347f24e856d226f7e07ac21c09880e49dbd6346d1760b8bff

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\8bd8143eff37936894aa[1].woff2

Filesize
44KB

MD5
d295c40af6fca08f8e0eb5425351f431

SHA1
1d246a1e54b3a1f2428883d8c911af73eddffca6

SHA256
5d225b25d66b30563a00f395476ed701130d3f749620a63531cea09fc537164e

SHA512
9c9f23cb775244eb10f83f964b36224ad2cd5152cfa5ab82928f68ed1cb49be4156f887cc40a857b72efd0833014e4366bf136689a717dd58828a1b195ed486e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\914a97ac83e173c66dd7[1].woff2

Filesize
183KB

MD5
e55012627a8f6e7203b72a8de730c483

SHA1
4c43b88403ec9c3053d74b4c502bcaf99f594c57

SHA256
8390503760c8f26556001a28e7d95e4a237a4780e7ceeebf0853ce252fde4ba8

SHA512
05bfb6311b7f78f8f85e43f3c9c87447138237b8897c68effa4c877509296f0a7252070f8bba79c6561ff91c6759058f0da5a10c1db19c1ff0443fee49bf62a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\b21c5111a12372139409[1].woff2

Filesize
38KB

MD5
ff5eccde83f118cea0224ebbb9dc3179

SHA1
0ad305614c46bdb6b7bb3445c2430e12aecee879

SHA256
13da02ce62b1a388a7c8d6f3bd286fe774ee2b91ac63d281523e80b2a8a063bc

SHA512
03dc88f429dd72d9433605c7c0f5659ad8d72f222da0bb6bf03b46f4a509b17ec2181af5db180c2f6d11c02f39a871c651be82e28fb5859037e1bbf6a7a20f6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\b84ef5d4aa22d54ea96e[1].woff2

Filesize
140KB

MD5
412f5d9534ce2a2e1a1ae9b746bca5b5

SHA1
4a38e0093c04b96ee310b8a79f6d83d6165a3681

SHA256
4a8fe66a26e23c87354c593a99f983e37f14bf3b925b3f0f0f8665e32455f016

SHA512
aa8852ca3a2d63a443fe40d15209f1b53da913d2cc8c9275dd6338ea9f8108464e724182b4d021219ab75ef1195dd90c4a63f81fe033e4890b7d7f1d32b20391

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\b8cfca9c9b10ffcc6e53[1].woff2

Filesize
182KB

MD5
05422eb499ddf5616e44a52c4f1063ae

SHA1
eab3a7e41cbf851df0f0962ed18130cf89673a65

SHA256
c1d71bd80fc3ecf5ef1a97092a456a046d55fd264be721f2a25be3e59ccb8b2b

SHA512
3722a6335ba80c3336d199a449026456c89ffe521ec5ba9e06a7cebf0b19d5054ca87f3b9be4683e189c4c1f9b898ef397c65c8f0b3556787fa2e7cd3d5255fa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\c1b53be672aac192a996[1].woff2

Filesize
37KB

MD5
3d6549bf2f38372c054eafb93fa358a9

SHA1
e7a50f91c7ec5d5d896b55fa964f57ee47e11a1b

SHA256
8e401b056dc1eb48d44a01407ceb54372bbc44797d3259069ce96a96dfd8c104

SHA512
4bde638a4111b0d056464ce4fd45861208d1669c117e2632768acd620fcd924ab6384b3133e4baf7d537872166eb50ca48899b3909d9dbf2a111a7713322fad4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\db0a7b5459a233f1f6c0[1].woff2

Filesize
44KB

MD5
17bf6b1c912399ef0f05742315932aae

SHA1
58a7e8603e5315a4686c0eec407b3867a13618fa

SHA256
8957b06e2baed65915fa19cdc3fb3dc48b9e94898b922674f6b7a1875199f466

SHA512
10059e3cb8acc88d1adf39fee094c2e960c9426176ee52d63052693d77e2458150c17a5c288b6083cdd6219b22a8b86decc67740bd8af9538003856143700ede

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\e5895f33d25eae65caf5[1].woff2

Filesize
139KB

MD5
d9b0aabb79e7d8b3b14789ebd534f158

SHA1
223672a3e35d262163e9cd58433b1579658d5a43

SHA256
0c340de794334fde48397d59cc9b31f7eb125d2ab21cac618f6d40196d489b30

SHA512
b00f325cf4b7f8d9117e1f255ec9fac4ec9977f891e40aec00a323dea6a524ea7f5e6b8eb9575e08428c2c7055c637d24cd7e3b31bee1f0e9e8165d5dbde077f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\ecff74bf4394e6e58dd1[1].woff2

Filesize
38KB

MD5
7f63813838e283aea62f1a68ef1732c2

SHA1
c855806cb7c3cc1d29546e3e6446732197e25e93

SHA256
440ad8b1449985479bc37265e9912bbf2bf56fe9ffd14709358a8e9c2d5f8e5b

SHA512
aaea9683eb6c4a24107fc0576eb68e9002adb0c58d3b2c88b3f78d833eb24cecdd9ff5c20dabe7438506a44913870a1254416e2c86ec9acbbcc545bf40ea6d48

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\ef2325329f07b2420f27[1].woff2

Filesize
44KB

MD5
1ac46f07e44e1d6020a4b6b19e34c844

SHA1
56c37396425ff215805fee12b3fd1a0af65d9725

SHA256
67165f276046f293a75296f6193cf19607ea65e52988babf95b77f4a7fa2f099

SHA512
996e7f9634850195de479c81f9fd2eeddcf3a1ffb327d84fbac6385802a4ff1cf23b114aeaa2a94e8c0cad15a6a25efa708860d6da8d82c50e77ac21b68ed208

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\VC5S32N4\f5b8aa3411dfc24ff2e6[1].woff2

Filesize
133KB

MD5
f9bf0f65660d23c6f359d22720fc55ae

SHA1
9fa19ab7ea56165e2138c443816c278d5752dd08

SHA256
426ae06cd942849ab48b84c287c760f3701b603ebcc5c9aaa4a89923ef5f058e

SHA512
436019a96e47848533684a34e3c360f516c29b2aa2473d0a05d50c0fd3ad19eac39df2de12b6ec1c6760493efb5abf58e6a54d32080226fa1765983435634d88

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\QYZUJDJO\discord[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
5c450edbfcba23d9d5823a3c6ab7bf7a

SHA1
2ff4b5668bd4be6aedc8e5893794ec1249089cf0

SHA256
fd95ba41619682453d9d0be4424cfba76d6887a272b557131ff4d75379e91fd0

SHA512
2d851f2e43b8c9edb314177602359b5a3f4a7a701fcb95f029d621ec5e985e3c7e7aacc50eabbc19cd4aceecc6dd55dfef869db6d3a1024401fe0e44f112aa3a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
364632eabbe7468d607ae4b138935d73

SHA1
cf012c18c2e90a8df07279a52f9dba8ee21f79c4

SHA256
31e757b2850d0eae1e1607d2e33322c18863945d13590e4b4f1a4ffed8803b17

SHA512
f19750691799964e70b4a4ccf4f28f3da351ca543ebd9e851fdc7582cfd717a82f0e659a2e4180a24eac091094e67b06895a4c9d76293f69ccb2ad7bb6dcef95

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
a6ac1c8126eb760fdb929543583a5614

SHA1
2ff24e9b02cc2bafaf37c02d26b17954260ce6ac

SHA256
645ba737f490f8703fe9654852dd662fb14eae9c91924d3b14b692b76553f126

SHA512
da9fba51300e897cc1fffe18d2a59bc322f725dd2af276b735375e7bba40be212e292495703a29e73fb676027b2e0b590c19749b688f7304b5a9e9e71164cc7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
9743d001a231939db2668578122909ae

SHA1
f86b17af01581f3b24254e1a642940335a44cd65

SHA256
cefd5bdb9a0c32e4186f24699659fd517e673a156ebe939ea08f93ade9ae4d9f

SHA512
961b0ed54e7c4a297092c0f710f9ca48e65d685ea2d4e498182b150cbdd2650181fbc31bd0b561850b3d163c58fb81582a54114e4ea725561d675ae3d7eca8f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
2f09bdd8cce033a95e1ca7a43ca6871b

SHA1
a4b42ffa5c69773903f6c51e948b6fe324cf2b6e

SHA256
cb824a304f74a19caabdc7a47ca47a5fea4b49c74b23314f0336675a79b344fe

SHA512
2159193a80e83bf43f52dd093b694c6c060b5277ecc7166100632d507f867d48466ceaac6003e22bd60b181b02c3dd00a08bbaf93f4b94788e8601092d4fb834

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
bef2be38dfb2cce9a67c30d11d55a323

SHA1
6585555a3025f57b4af11e457c0f6c98e9b3d973

SHA256
056017e4e57ad60ab9b0ee561a326738115e06f5ef7f6d5df5a499533ba95298

SHA512
5423dd108c9904f549adf806b03c60ac04f70946abaa631ddfb2f167e83d26ab9e1826c7d6c8701a051c5837d04f0f435ae66d74be908f39cd01fcda572e7f96

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\sbxdpz5\imagestore.dat

Filesize
24KB

MD5
86a98be9e3f04f67a7b8094ebfe579bc

SHA1
bc16f84be59f10fc547c1d66d32fe251a615bb3e

SHA256
b9216cb80a5a97d3c3dc3a4406ea67f605e6ba3c9b90a9d643a79333a99e9e79

SHA512
409a3cf43ab2bd40532f2cad28c9cabeb942f481a2f615d40b70797b6ea86a9047c6873d0e9ba0017da94d5c5a4394a2c345aa4ad8d69a7ee431b96e7991514d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{1B0A80D2-4DF1-45F1-92AE-FB57BDEF21ED}.dat

Filesize
5KB

MD5
7417ff31ed52281597065836eba42ec3

SHA1
a7c2bf09e018cef4badd7aaa16a28fa1cf206d94

SHA256
7cf0a363f4f5dac2e5ae9ccc3f3f6319d5fd4069219831ed4bdf1d0b2d8d0c50

SHA512
b8cf7446943b30cc20ad6e108dd93450c5f204919b4f15c0a95f0c79b861d449c495a5e97f65b12f7ba80f44931435c52acfdf50dae1b407dda43079263856a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{567AA84F-533A-4CF6-9FA3-0D9B826CFF8D}.dat

Filesize
7KB

MD5
44821ff696c25a6e621ce4b61c2009eb

SHA1
abc43d2017112f74e558c8ddc68515e56f82e2fa

SHA256
7ff25976e0471f2bbb6d26eb14a1983700223aa2755b0e90a603718f7e13d114

SHA512
e2bc734a25ac4aa45a47c2aada978f2780c438c8d1a0af4dcf89e5df3f1a4ca776d866e1490ea089fd51356cb08b0d0ef3d03cc2c7a4105dfc5f1e60d13b3d48

Download Submit
C:\Windows\IME\AMIDEWINx64.EXE

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
memory/660-0-0x00007FFC8EF20000-0x00007FFC8EF22000-memory.dmp

Filesize
8KB

Download
memory/660-1-0x0000000140000000-0x00000001419DD000-memory.dmp

Filesize
25.9MB

Download
memory/3476-78-0x000002B31F1E0000-0x000002B31F1E2000-memory.dmp

Filesize
8KB

Download
memory/3476-61-0x000002B30F010000-0x000002B30F110000-memory.dmp

Filesize
1024KB

Download
memory/3476-76-0x000002B31F1C0000-0x000002B31F1C2000-memory.dmp

Filesize
8KB

Download
memory/3476-74-0x000002B31F1A0000-0x000002B31F1A2000-memory.dmp

Filesize
8KB

Download
memory/4348-183-0x0000025326950000-0x0000025326951000-memory.dmp

Filesize
4KB

Download
memory/4348-131-0x000002532FBD0000-0x000002532FBD1000-memory.dmp

Filesize
4KB

Download
memory/4348-130-0x000002532FBC0000-0x000002532FBC1000-memory.dmp

Filesize
4KB

Download
memory/4348-176-0x0000025328860000-0x0000025328862000-memory.dmp

Filesize
8KB

Download
memory/4348-40-0x00000253269F0000-0x00000253269F2000-memory.dmp

Filesize
8KB

Download
memory/4348-5-0x0000025329620000-0x0000025329630000-memory.dmp

Filesize
64KB

Download
memory/4348-21-0x0000025329720000-0x0000025329730000-memory.dmp

Filesize
64KB

Download
memory/4348-179-0x0000025326CB0000-0x0000025326CB1000-memory.dmp

Filesize
4KB

Download
memory/4740-48-0x00000255C52C0000-0x00000255C53C0000-memory.dmp

Filesize
1024KB

Download