xtremerat | 30c217930b807be8186a24a3e4d1b66f418e3e9652b3991486d21fdfbfe9020c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Perx Injector (x1nject) Remake and Updated.exe
Size

351KB
MD5

6850df03b1fb664f27b920ee096b6ea0
SHA1

a75decb81cd2fb6a1b553b27abb84f61ffed588f
SHA256

e2d8a3a1be1ad78f29f691b20d783b25049d37ccb138002f32e3d74b4e7b2681
SHA512

d30e5c5c91b3eab309afdbedd43b682466472304ac40e725b42dc528053b91b841513f5816dd2d95b514233ee871bacc0890c405a79a2129cef4f16681314df3
SSDEEP

6144:UFw8wzBhaEUJ45mHm3pvr27NabMngLbljkt1E0OTcUtqZ8na29Rd97BSX5Ep:UFszBhqS5mwvezgLZkE0Oo2q+a8zna5I

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 64 IoCs

resource	yara_rule
behavioral2/memory/3176-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/992-26-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3484-46-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2384-48-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3100-64-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4548-69-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4452-83-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5108-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4452-94-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3480-102-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4420-104-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1336-107-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5108-116-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4228-119-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2184-151-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2184-164-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1900-169-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3240-174-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5064-194-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4528-196-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2888-193-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2140-190-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4276-180-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1908-198-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1908-200-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2148-204-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3996-205-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3996-207-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4612-220-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2892-224-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1540-250-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4236-261-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2136-279-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4612-281-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4084-301-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3828-307-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2136-321-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1144-325-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2448-323-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2216-320-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1900-315-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4236-313-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2336-297-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/644-291-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1540-295-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2216-280-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2148-289-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1948-274-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4644-276-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1332-268-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/644-264-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2448-263-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3828-262-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3172-271-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2892-266-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2336-249-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2148-248-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1332-247-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4644-231-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/3172-230-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1948-223-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/2432-334-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5184-344-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5172-343-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe restart"	services.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	services.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe restart"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe restart"	services.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AYT2OYTC-XC2C-7LS8-3I7C-KRGPWMM5X32M}\StubPath = "C:\\Program Files (x86)\\jre6\\java.exe restart"	java.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Perx Injector (x1nject) Remake and Updated.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	java.exe

Executes dropped EXE 64 IoCs

pid	Process
4740	install.exe
992	services.exe
2384	java.exe
1844	install.exe
2088	install.exe
3100	services.exe
3484	services.exe
1336	java.exe
4548	java.exe
4228	java.exe
4536	install.exe
944	install.exe
964	install.exe
4784	install.exe
5108	services.exe
4452	services.exe
3480	services.exe
4420	services.exe
3240	java.exe
1908	java.exe
2148	java.exe
2272	install.exe
2724	install.exe
2088	install.exe
3464	install.exe
5088	install.exe
4992	install.exe
3768	install.exe
1900	services.exe
3996	services.exe
4180	install.exe
2184	services.exe
2140	services.exe
4528	services.exe
4276	services.exe
5064	services.exe
2888	services.exe
1332	java.exe
644	services.exe
1844	install.exe
4656	install.exe
2140	install.exe
1268	install.exe
1488	install.exe
5064	install.exe
4612	services.exe
3500	install.exe
2432	install.exe
1796	install.exe
212	install.exe
1948	services.exe
3944	install.exe
2892	services.exe
3172	services.exe
4644	services.exe
4180	install.exe
3528	install.exe
2120	install.exe
1676	install.exe
2148	services.exe
2336	services.exe
1540	services.exe
4084	services.exe
4236	services.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\jre6\\java.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\services.exe"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Program Files (x86)\\jre6\\java.exe"	java.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023b9c-16.dat	upx
behavioral2/memory/992-17-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3176-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/992-26-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3484-46-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2384-48-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3100-64-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4548-69-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4452-83-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/5108-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4452-94-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3480-102-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4420-104-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1336-107-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/5108-116-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4228-119-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3996-141-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2184-151-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2184-164-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1900-169-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3240-174-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/5064-194-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4528-196-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2888-193-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2140-190-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4276-180-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1908-198-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1908-200-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2148-204-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3996-205-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3996-207-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4612-220-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2892-224-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1540-250-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4236-261-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2136-279-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4612-281-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4084-301-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3828-307-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2136-321-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1144-325-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2448-323-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2216-320-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1900-315-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4236-313-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2336-297-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/644-291-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1540-295-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2216-280-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2148-289-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1948-274-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4644-276-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1332-268-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/644-264-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2448-263-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3828-262-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3172-271-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2892-266-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2336-249-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2148-248-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1332-247-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4644-231-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/3172-230-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1948-223-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	java.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	java.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	java.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe
File opened for modification	C:\Program Files (x86)\jre6\java.exe	services.exe
File created	C:\Program Files (x86)\jre6\java.exe	java.exe
File created	C:\Program Files (x86)\jre6\java.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perx Injector (x1nject) Remake and Updated.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	java.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1908	Perx Injector (x1nject) Remake and Updated.exe
Token: SeRestorePrivilege	1908	Perx Injector (x1nject) Remake and Updated.exe

Suspicious use of SetWindowsHookEx 60 IoCs

pid	Process
4740	install.exe
1844	install.exe
2088	install.exe
4536	install.exe
944	install.exe
4784	install.exe
964	install.exe
2272	install.exe
2088	install.exe
2724	install.exe
3464	install.exe
3768	install.exe
4992	install.exe
5088	install.exe
4180	install.exe
1844	install.exe
2140	install.exe
1268	install.exe
4656	install.exe
1488	install.exe
5064	install.exe
3944	install.exe
2432	install.exe
4180	install.exe
212	install.exe
3500	install.exe
1796	install.exe
3528	install.exe
1676	install.exe
2120	install.exe
2064	install.exe
376	install.exe
4044	install.exe
2636	install.exe
3000	install.exe
3684	install.exe
5128	install.exe
3768	install.exe
5136	install.exe
5148	install.exe
2104	install.exe
5244	install.exe
5412	install.exe
5284	install.exe
5276	install.exe
5428	install.exe
5484	install.exe
5544	install.exe
5420	install.exe
5508	install.exe
5496	install.exe
5696	install.exe
5608	install.exe
5704	install.exe
5712	install.exe
5800	install.exe
5728	install.exe
5848	install.exe
5356	install.exe
5456	install.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 4740	1908	Perx Injector (x1nject) Remake and Updated.exe	87
PID 1908 wrote to memory of 4740	1908	Perx Injector (x1nject) Remake and Updated.exe	87
PID 1908 wrote to memory of 4740	1908	Perx Injector (x1nject) Remake and Updated.exe	87
PID 4740 wrote to memory of 992	4740	install.exe	88
PID 4740 wrote to memory of 992	4740	install.exe	88
PID 4740 wrote to memory of 992	4740	install.exe	88
PID 992 wrote to memory of 3176	992	services.exe	89
PID 992 wrote to memory of 3176	992	services.exe	89
PID 992 wrote to memory of 3176	992	services.exe	89
PID 992 wrote to memory of 3176	992	services.exe	89
PID 992 wrote to memory of 4596	992	services.exe	90
PID 992 wrote to memory of 4596	992	services.exe	90
PID 992 wrote to memory of 4596	992	services.exe	90
PID 992 wrote to memory of 3092	992	services.exe	91
PID 992 wrote to memory of 3092	992	services.exe	91
PID 992 wrote to memory of 3092	992	services.exe	91
PID 992 wrote to memory of 3888	992	services.exe	92
PID 992 wrote to memory of 3888	992	services.exe	92
PID 992 wrote to memory of 3888	992	services.exe	92
PID 992 wrote to memory of 4636	992	services.exe	93
PID 992 wrote to memory of 4636	992	services.exe	93
PID 992 wrote to memory of 4636	992	services.exe	93
PID 992 wrote to memory of 1952	992	services.exe	96
PID 992 wrote to memory of 1952	992	services.exe	96
PID 992 wrote to memory of 1952	992	services.exe	96
PID 992 wrote to memory of 960	992	services.exe	97
PID 992 wrote to memory of 960	992	services.exe	97
PID 992 wrote to memory of 960	992	services.exe	97
PID 992 wrote to memory of 3668	992	services.exe	98
PID 992 wrote to memory of 3668	992	services.exe	98
PID 992 wrote to memory of 3668	992	services.exe	98
PID 992 wrote to memory of 1548	992	services.exe	99
PID 992 wrote to memory of 1548	992	services.exe	99
PID 4740 wrote to memory of 4236	4740	install.exe	100
PID 4740 wrote to memory of 4236	4740	install.exe	100
PID 4740 wrote to memory of 4236	4740	install.exe	100
PID 992 wrote to memory of 2384	992	services.exe	101
PID 992 wrote to memory of 2384	992	services.exe	101
PID 992 wrote to memory of 2384	992	services.exe	101
PID 2384 wrote to memory of 996	2384	java.exe	102
PID 2384 wrote to memory of 996	2384	java.exe	102
PID 2384 wrote to memory of 996	2384	java.exe	102
PID 2384 wrote to memory of 3536	2384	java.exe	103
PID 2384 wrote to memory of 3536	2384	java.exe	103
PID 2384 wrote to memory of 3536	2384	java.exe	103
PID 2384 wrote to memory of 1956	2384	java.exe	105
PID 2384 wrote to memory of 1956	2384	java.exe	105
PID 4236 wrote to memory of 1844	4236	Perx Injector (x1nject) Remake and Updated.exe	104
PID 4236 wrote to memory of 1844	4236	Perx Injector (x1nject) Remake and Updated.exe	104
PID 4236 wrote to memory of 1844	4236	Perx Injector (x1nject) Remake and Updated.exe	104
PID 4236 wrote to memory of 2088	4236	Perx Injector (x1nject) Remake and Updated.exe	106
PID 4236 wrote to memory of 2088	4236	Perx Injector (x1nject) Remake and Updated.exe	106
PID 4236 wrote to memory of 2088	4236	Perx Injector (x1nject) Remake and Updated.exe	106
PID 1844 wrote to memory of 3100	1844	install.exe	107
PID 1844 wrote to memory of 3100	1844	install.exe	107
PID 1844 wrote to memory of 3100	1844	install.exe	107
PID 2088 wrote to memory of 3484	2088	install.exe	108
PID 2088 wrote to memory of 3484	2088	install.exe	108
PID 2088 wrote to memory of 3484	2088	install.exe	108
PID 2384 wrote to memory of 1956	2384	java.exe	105
PID 3100 wrote to memory of 3964	3100	services.exe	109
PID 3100 wrote to memory of 3964	3100	services.exe	109
PID 2088 wrote to memory of 3120	2088	install.exe	110
PID 2088 wrote to memory of 3120	2088	install.exe	110

C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
"C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\services.exe
    services.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      PID:3176
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1684
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        
        PID:1908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4700
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1212
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2412
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3696
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4236
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2340
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:4656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2936
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2472
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5188
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5364
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Checks computer location settings
        
        PID:5104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5236
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Checks computer location settings
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5828
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1336
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:5776
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5192
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        
        PID:2136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6128
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5964
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:5192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5804
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5864
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:5424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4944
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:532
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:1016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5136
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5068
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1840
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4584
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1960
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:224
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5540
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        
        PID:5600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5140
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Adds Run key to start application
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2696
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:6156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6308
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6364
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6492
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6568
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6620
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        10⤵
        Adds Run key to start application
        
        PID:6656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6728
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2684
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:412
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:6216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6352
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6444
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6704
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:6736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6944
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:5508
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:5408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6508
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:6416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6480
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6788
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6936
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:7028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7068
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7084
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7104
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2916
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        
        PID:6324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6064
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:6500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4808
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6992
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:7032
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:6232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5476
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:2956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:6424
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:5376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5944
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5204
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:6784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5408
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:5524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:6668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3552
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2100
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5340
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        8⤵
        Checks computer location settings
        
        PID:1948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:6984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4136
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:6684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:7256
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:7288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:7336
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2300
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5976
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        
        PID:2024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6664
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6812
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7348
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:7380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:7508
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:7404
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:7460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:7500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1548
  - - C:\Program Files (x86)\jre6\java.exe
      "C:\Program Files (x86)\jre6\java.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:2228
    - - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2488
      - C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:3240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4776
- - C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
    "Perx Injector (x1nject) Remake and Updated.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4760
      - C:\Users\Admin\AppData\Roaming\jre6\java.exe
        
        "C:\Users\Admin\AppData\Roaming\jre6\java.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2836
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:4980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\jre6\java.exe
        
        "C:\Users\Admin\AppData\Roaming\jre6\java.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        5⤵
        Checks computer location settings
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Checks computer location settings
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Program Files directory
        
        PID:6132
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:4784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2724
        
        C:\Program Files (x86)\jre6\java.exe
        
        "C:\Program Files (x86)\jre6\java.exe"
        14⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Checks computer location settings
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5244
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        7⤵
        Executes dropped EXE
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Checks computer location settings
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5928
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5632
  - - C:\Users\Admin\AppData\Local\Temp\install.exe
      "C:\Users\Admin\AppData\Local\Temp\install.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        5⤵
        Checks computer location settings
        
        PID:3120
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        7⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        7⤵
        Checks computer location settings
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:3996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\services.exe"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Checks computer location settings
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5728
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Program Files directory
        
        PID:2432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        Drops file in Program Files directory
        
        PID:5184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:2892
      - C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        7⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        7⤵
        Checks computer location settings
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Checks computer location settings
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5712
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5348
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        9⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        9⤵
        Checks computer location settings
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\jre6\java.exe
        
        "C:\Users\Admin\AppData\Roaming\jre6\java.exe"
        12⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        11⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        11⤵
        Checks computer location settings
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\install.exe
        
        "C:\Users\Admin\AppData\Local\Temp\install.exe"
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\services.exe
        
        services.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\Perx Injector (x1nject) Remake and Updated.exe
        
        "Perx Injector (x1nject) Remake and Updated.exe"
        13⤵
        
        PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
16KB

MD5
f1906521a2ae34bb05cb058a6d1d16e9

SHA1
ec6dfbdb2097ac48de5ef4126b787141159db121

SHA256
4f838fc46bef6f978d8890b26dc7370f61c59bfb979ee189e745d498356272e3

SHA512
cba28ba2970b4e4d99d1c18096f60913299d7a1a191dfa1c841199536acdffa561a78b6240a2d62ea2f0430d065e3a89057a901878a8a23593e06d8855d43fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\services.exe

Filesize
21KB

MD5
cd114b946e262e2f42b44be5988983a5

SHA1
4d26206a2131c30f29820fee114967de991357ae

SHA256
b89534c4b6bd5ea0bdb075d23cf5cbb142bef93d112328963fea3aedf0c84a7a

SHA512
ebc6632a4d8d0e38dbf1b4b72113c6acc3ff439bc83443a5084de4faff4599dd4d72ca5a6bdc96d2c33b17186a9c211b30436760050130e069408f81d4ccabdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\((Mutex)).cfg

Filesize
1KB

MD5
9009da1fcd6eee7bbd8b336364208a5f

SHA1
ac58ba38ebe6e24ee111e894823194ff69e8353b

SHA256
663b034709fb6c27a5cc1bcbcbe895349d1467a3b8a64cecce00bb0096f9e2dc

SHA512
049458d9dc689a6e3fb45552c96d3b0362643c8c88a8f8ba1eebb85d7f2a0c1382f33561b14b5bb9e081015cd1f64e0e4dac56eef8eb3594a10224d3218cb5a6

Download Submit
memory/644-291-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/644-264-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/992-17-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/992-26-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1144-325-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1332-247-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1332-268-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1336-107-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1540-295-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1540-250-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1900-315-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1900-169-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1908-200-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1908-198-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1948-274-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1948-223-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2088-442-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2136-279-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2136-321-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2140-190-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2148-289-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2148-204-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2148-248-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2184-164-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2184-151-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2216-280-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2216-320-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2336-297-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2336-249-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2384-48-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2432-334-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2432-443-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2448-263-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2448-323-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2888-193-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2892-224-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2892-266-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3100-64-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3172-230-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3172-271-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3176-22-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3240-174-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3480-102-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3484-46-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3828-307-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3828-262-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3996-205-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3996-207-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/3996-141-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4084-301-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4228-119-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4236-261-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4236-313-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4276-180-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4280-435-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4420-104-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4452-83-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4452-94-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4528-196-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4548-69-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4612-281-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4612-220-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4612-360-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4644-231-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4644-276-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5064-194-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5104-449-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5104-366-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5108-116-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5108-82-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5160-436-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5164-441-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5172-343-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5184-344-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5292-434-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5292-362-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5348-401-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5360-447-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5376-361-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5376-381-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5384-426-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5384-363-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5396-428-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5408-437-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5448-419-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5448-364-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5460-403-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5460-365-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5768-457-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5768-420-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5928-421-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5940-467-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5940-422-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5956-423-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5964-424-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5964-471-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5976-466-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5988-439-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/6004-438-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/6012-440-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads